Another important security feature is the ability to control the identity under which code is executed.
Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client.
By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account.
This is contrary to the default behavior of ASP, which uses impersonation by default. In Internet Information Services (IIS) 6, the default identity is the NetworkService account.