In IIS 7.0, what is the difference between the application pool identity and the web site identity?
The two accounts are different things. Think of the website identity representing the user of the site. If you create a new website this account is the anonymous IIS account. If you disable "Anonymous Authentication", your users will have to authenticate against the website (in a intranet/Windows domain site this could be implicite using the network credentials.)
The application pool identity is the Windows account needed for running your assemblies. Normally it is the "Network Service" account which is a least privileged account with limited user rights and permissions. It does have network credentials. This means that you can use it to authenticate against network resources in a domain. You can also use it to access a SQL Server database with integrated security.
For example, if your ASP.NET application has to write to a folder, you have to grant the permission to the application pool account, not to the website account. For more information on application pool identities, read here.
Note: In IIS 7 there is a way to use the same account of the Application Pool identity for the anonymous website account: