Can someone guide me to a reference for the minumum security permissions on each webfolder in an IIS7 website?
For Users, Admin, System, Network Service?
I have Network Service as a DB Owner on SQL as well, is this necessary or should I restrict access from it?
EDIT: MVC FOLDERS SPECIFICALLY
Not a direct answer, but I sidestep this issue by having my application installer run "aspnet_regiis -ga SomeDomain\SomeUser" to grant the service account all necessary permissions to run an ASP.NET application.
I'd recommend creating an app pool in IIS and setting its ID to the proper account. Then, you only have to grant that account access on your application's folders as well as the database (trusted connection). You gain a lot more control this way.
I would definitely not set Network Service as db_owner.