Hi Michael McGovern,
Thank you for using our services.
When we run the WPI to install Sitefinity CE we get the following users added to the permissions list NETWORK SERVICE and IIS_IUSRS, refer to attached image. The NETWORK SERVICE user is added because we are running the application in IIS 7 Integrated pipeline mode and this is the identity of the default application pool. If you are running IIS 6.0 the user added instead of the NETWORK SERVICE one will be the ASP.NET worker process. The NETWORK SERVICE or ASP.NET users only need full control over the App_Data folder you can revoke the rest of the permissions if they do not fit your security policy.
You can find more information on the IIS_IUSRS account if you follow this link
the Telerik team