According to MSDN, "When using impersonation, ASP.NET applications can optionally execute with the identity of the client on whose behalf they are operating. The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code. Instead, you rely on Microsoft Internet Information ...

A client generates a request for a protected resource. IIS receives the request, and if the requestor is authenticated by IIS, or if IIS Anonymous Access is enabled, the request gets passed on to the ASP.NET application. Because the authentication mode in the ASP.NET application is set to forms, IIS authentication ...