Just so you understand this: there are up to 3 identities that are relevant for the web server operations. We recommend that you use the same identity for all 3 purposes, like this:

  1. IIS Process Identity: The .net process must run in the standard Application Pool Account which is automatically generated. This identity is in the group IIS_Users.
    This is best practice, this account specialized for this purpose. Do not create your own accounts for this, as it only lowers your security. 
  2. Database Connection Identity: This should use a different, dedicated account
    1. In most cases you will use SQL login (not Windows/AD) which is specific to this site. 
    2. Make sure that this account is exclusively meant to access this one database.
      This ensures that in case of a security breach, the login information doesn't give the attacker access to any other DBs.  
    3. You can include the username/password in the web.config or use one of the encryption or secrets methods available.
      Just remember that it probably won't really change the security footprint, since an attacker that is able to run code on your system would also be able to access the decrypted values.  
  3. File Access Identity
    1. Basic Model: On the same server use the same application pool identity, and not IUSR for file/disk access.
      This reduces the amount of special cases you must harden. 
    2. Advanced Model: On the network use a special account in your AD made specifically for this purpose.