While locking down your server and resources to prevent unauthorized access is fine for a local Intranet scenario, it's not much good if you intend to provide information and access to your applications for the great unwashed masses out on the Internet. This requires some way for visitors to log into your site anonymously. Even if they identify themselves, by filling in a form for example, you still won't have a user account for them to log on to.
To achieve this, IIS has it's own account in NT which it uses to access resources on behalf of all anonymous visitors. By default this account is named IUSR_<machinename>, for example IUSR_KLINGON if you're a Star Trek fan, and has a randomly generated password. Anyone requesting a page or other resource from your server via IIS automatically gains the permissions that the IUSR account has.
This means, of course, that you need to set appropriate permissions for this account for each resource on your machine. Remember that the IUSR account will have access to any resources where the Everyone account is enabled:
To select a user account from the dialog that appears when you click Add, you have to click the Show Users button.