Question: Hosting Controller creates a unique 'domain.com_web' user for each of the new website. What is that for?
The "domain.com_web" user is called anonymous web user.
What is Anonymous Web User?
For applications where unknown users will be making requests (typically, public Web applications), IIS supports an "anonymous" user, namely, one who has no authentication credentials. In this scenario, the server on which IIS is running has an extra Windows user defined on it, with a user name of IUSR_. This user account is typically defined with very restricted access rights.
When IIS gets a request from an unknown user, IIS turns around and makes the request to Windows using the "anonymous" user name as its credentials. That is, IIS impersonates the anonymous users for purposes of accessing the resource.
How HC is different?
Instead of assigning same IUSR_ user to each website, HC creates a unique "domain.com_web" user account and sets it as the anonymous user for its website "domain.com". Doing this secures the shared hosting server against many possible threats as described below below.
What is the significance of setting unique IUSR_ User?
Setting unique IUSR_ user for each website has great significance for shared hosting environment.
Symptom#1: Probably 90% of databases currently used on Windows based shared hosting servers are on MS Access and are not password protected. If your server has Active Server Pages enabled, all you need to know is any one else's ODBC Data Source Name. Simply use (Select, Insert, Update, Delete) from his DSN as if it was your own.
Cause: ASP uses the permissions transferred by the IIS to do all database operations. By default all users coming through web are given IUSR_ permissions therefore owner of website "abc.com" may access database of website "xyz.com".
Solution: HC sets unique IUSR_ anonymous user for each website. By doing this, it makes sure that anonymous user of website "abc.com" has no access over the file of website "xyz.com".
Symptom#2: As this test is only for Windows servers, your website is most probably enabled with ASP. If yes, you can try deleting any file using the File Scripting Object (FSO) of ASP. If you can't delete files in the X:\Windows directory, try deleting files of other websites on the same server. If your web host is another typical one, you should be able to do it.
Cause: If IUSR_ user is same for all websites and has Full Control on all websites then there is no way for ASP to judge if you are deleting your own files or some one else's.
Solution: By setting unique IUSR_ anonymous user for each domain, HC makes sure that no one can delete or modify other website's data.