Impersonation lets ASP.NET
restrict access to pages based on that user's identity. Normally ASP.NET takes
the identity of the local machine which means that it has complete access to
all files and folders. When impersonation is enabled, ASP.NET takes on the
role that IIS assigns it. When ASP.NET is impersonating a user, Windows can
restrict access to the application. Lets say that you have an ASP.NET
application that acts like a file browser for the system, by default the user
can see and do anything because ASP.NET has access, with impersonation ASP.NET
only has access to pages that they would normally have (if logged in at the
workstation), so anonymous users have very limited access.
That should give you a better look
at what it's doing.
This article showed you the new
ways that ASP.NET allows you to authenticate your users. I didn't go through
authorization because that's basically the same as checking for access to a
particular resource and getting a yes or no answer. For other articles on
ASP.NET and Security see the Related Articles section.