Using icacls to list ownership of directories
Solution 1:
At the risk of shamelessly rep-whoring, here's a batch file that will return any directories that name `BUILTIN\IIS_IUSRS" with "Full Control" permission (with object and container inherit enabled):
@echo off
for /f "usebackq delims=" %%i in (`dir /ad /s /b`) do call :df "%%i"
goto :EOF
:df
icacls %1 | find /i "BUILTIN\IIS_IUSRS:(OI)(CI)(F)" >NUL 2>NUL
if not errorlevel 1 echo %~1
Run this in the your top-level directory. It will output any directories it finds with the permission you're looking for.