[This is preliminary documentation and subject to change]
Worker processes can be configured to run under a lower privileged account than LocalSystem, which provides greater security and reliability. This is configurable on an application pool basis, much like process recycling and CPU throttling. For instance, an Internet Service Provider (ISP) wants to allow customers to upload CGI applications. To contain the applications and protect the systems, the ISP can allow the applications to execute under a special worker process identity. This prevents a flaw in a component running as LocalSystem enabling an attacker to take control of the computer on which it is running, and access information to attack other computers.
For more information about configuring the identity of a worker process, see "xxx".