Here's a good explanation of what happens:
IIS introduces a new security feature in Service Pack 2 (SP2) of
Windows Server 2008 and Windows Vista. It's called Application Pool
Identities. Application Pool Identities allow you to run Application
Pools under a unique account without having to create and manage
domain or local accounts. The name of the Application Pool account
corresponds to the name of the Application Pool.
In Windows 7, IIS application pool isolation was taken yet to a
different level. The new change introduced in IIS7 (Windows Server
2008) was a new option to run your application pool as AppPoolIdentiy.
However, the default for an application pool identity in IIS7 remained
the same NetworkService. In IIS7.5, AppPoolIdentiy becomes a
default. Thus, scripts previously expecting permissions for their
application pool identity to be set to NT Service\NetworkService
will now have to set permissions (ACLs) for IIS AppPool\ the user account created for each new application pool.