So I needed to read/write .pdf's to a network share (other than the Web server). There seem to be two options: a>Enable impersonation in the .config and
b>Understand Application Pools and identity (IIS 6.0 only).
Impersonation worked but I don't like the security implications of doing that so I read about changing the identity ASP.NET runs under from NetworkService to a user who has an account on the network.
This TechNet article - http://technet2.microsoft.com/WindowsServer/f/?en/Library/ee6c6b61-9048-460b-b94c-5f69498b07441033.mspx - [look up "Configuring Worker Process Identities" on TechNet if the link is dead] tells how to change the worker process for ASP.NET to a network user. This can get down to per-application identity and allows me to have minimal permissions on the web app while still being able to access network resources.
I am sure there is some great article out there that tells developers to do this, but I never found it...