401/403 Permission Error on New IIS Setup

When configuring a new website in IIS on a Windows server that requires Windows Authentication, always double-check that the Users or Authenticated Users group has read access to the website folders. With Windows Auth, IIS authenticates against the user in Active Directory and then uses those permissions to access the file system. Because the website is set up to require Windows Authentication and not Anonymous access, Windows needs a user account to use to access the file system to serve the files. If that user does not have access to the file system as part of the Users group, they will receive the unauthorized error.

Whoever set up the IIS instance likely is part of a Developers or Administrators group and typically has this access. This can cause the issue where the technology group doesn't see that there is a problem but the regular users in the organization are unable to browse the website from their machines using their accounts.

I've seen this happen over the years with internal Angular or React applications that require Windows Authentication and render just fine for the technology group but users in the organization report they are unable to get to the website. This blog post is intended to help anyone who might be facing a similar problem on a new IIS website.