IIS 7 Application Pool Identity permissions
If you set your website's anonymous authentication settings to use the app pool identity then you only need to grant the app pool identity access, unless you have a section of the site that doesn't use anonymous authentication, in which case you need to also grant the authenticated users access. I recommend that configuration. It's refreshing to not have to manage an app pool identity account plus an anonymous account.
If you aren't writing to disk, just list/read is all that is needed. If you need to write anything to disk then you'll need to grant write permissions too.
For #3, if it's just 1 server, you can do it from IIS Manager and NTFS permissions. If you plan to script this for multiple servers, let us know and we can provide further details.