A lot has been written about this, but I have yet to find the Holy Grail of IIS/Wordpress permissions. The tricky part seems to be the permissions for the root folder – allowing WP to update, while being secure. I have had a bad experience where a plugin – WP Super Cache – has a recursive delete function when removing itself and it ended up walking all folders on the server that IUSR had access to, deleting as it went. This killed dozens of sites and made a huge nightmare for me. Backups were in place, but still – it sucked! Slightly better is:
CREATOR OWNER – special permissions
IUSR – Read & Execute, List Folder contents, Read
SYSTEM – Full Control
Administrators – Full Control
Users – Full Control
*Note: you have to type in the full apppool identity as it is not selectable from the GUI
From this thread: https://wordpress.org/support/topic/the-correct-permissions-for-wordpress-on-iis , however WordPress update failed (plugin installs worked). The same thread suggests adding the appools to the IIS_Users group and giving it full control, but that would seem to give other apppools access to all sites.