Well I'll answer my own question.

I compared the security settings for the site that worked with the copy that didn't work. I found that a couple of "other" users had privileges to the working site directory, but not to the non-working site. Those users are NOT the IIS User in the app Pool.

But who cares! Adding them caused things to work.

That's good enough for now!

Mostly that's caused by not having anonymous authentication set to "Application pool identity" in IIS for that site

TImo,

Where, exactly, is that setting.

In IIS, I have Anonymous Authentication "enabled"

In the App Pool section, Identity is ApplicationPoolIdentity.

I'm I missing something else?

Select the Server or a site > IIS > Authentication > Anonymous Authentication > Edit (on the right) > Anonymous user Identity: Application Pool Identity

HTH

To give my two cents in addition to Timo's answer: If you choose the Application Pool Identity (instead of IUSR, and I always use the Application Pool Identity), the Modify permission for the web site has to be granted to this identity, e.g. if your AppPool is called "MyDNNSite", the identity is "IIS AppPool\MyDnnSite".

It is also a good practice to grant the database permissions to this identity. When the SQL Server is on the same machine as the IIS, it is the identity mentioned above, otherwise you have to use the web server's name followed by a $-sign, eg. "MYDOMAIN\WEBSERVER$". When the two machines are not in the same domain, you either have to setup a trust, or use an SQL Server Login (which means that username and password have to be in the connection string in web.config in clear text. I never tried the trust stuff. When both machines do not belong to a domain, an SQL Server Login is required.

I do not guarantee for the correctness of these statements, but this is how I understood it. If anyone knows better, please let me know.

Happy DNNing!
Michael

Thanks, guys!

Was set to IUSR ...