IUSR et IWAM date back to le très early days of IIS quand you installed it separately (not as an OS component). Par défaut, si a web site permits anonymous authentication, le IUSR account is used avec respect to permissions on le OS. Cela peut be changed depuis le default. Il y a certains security recommendations to at least rename le account, so c'est pas a "known" account, much like there is a recommendation to rename le administrator account on a server. Vous pouvez learn more about IUSR and authentication at MSDN.
IWAM was designed for tout out of process applications et is seulement used in IIS 6.0 quand you're in IIS 5.0 isolation mode. You usually saw it avec COM/DCOM objects.
With respect to application pool identities, le par défaut is to run as le Network Service. Vous devriez pas run as Local System parce que that account has rights greater than that of an administrator. So that basically leaves you to Network Service, Local Service, ou a local/domain account autre than those two.
As to what to do, it depends. One advantage of leaving it as Network Service is this is a limited privilege account on le server. Cependant, quand it access resources across le network, it appears as Domain\ComputerName$, meaning you can assign permissions that permit le Network Service account to access resources such as SQL Server running on a différent box. Also, depuis it appears as le computer account, If you enable Kerberos authentication, le SPN is déjà in place si you're accessing le website by le server name.
A case où you'd consider changing le application pool to a particular Windows domain account si you want a particular account accessing networked resources such as a service account accessing SQL Server for a web based application. Il y a autre options within ASP.NET for doing this sans changing le application pool identity, so this n'est pas strictly nécessaire tout longer. Another reason you'd consider using a domain user account is you were doing Kerberos authentication et you had multiple web servers servicing a web application. A good example is si you had two ou more web servers serving up SQL Server Reporting Services. The front end would probably to a generic url such as reports.mydomain.com ou reporting.mydomain.com. In that case, le SPN can seulement be applied to one account within AD. If you have le app pools running under Network Service on chaque server, that ne va pas work, parce que quand they leave le servers, they appear as Domain\ComputerName$, meaning you'd have as beaucoup de accounts as you had servers serving up le app. The solution is to créez un domain account, définissez le app pool identity on tous servers to le même domain user account et create le one SPN, thereby permitting Kerberos authentication. In le case of an app like SSRS, où you may want to pass le user credentials through to le back-end database server, alors Kerberos authentication is a must parce que alors you're going to have to configure Kerberos delegation.
Je sais c'est a lot to take in, mais le short answer is, except for Local System, it depends.
