Only /App_Data and /Data Should be Writable
A key principle of security is reducing the attack surface. In mojoPortal content management system the only folders that need to be writable by the web process are the /App_Data and /Data folders. You should make sure no other folders are writable. You should make sure all other folders are not writable by the web process.
The user that needs permissions is the user that is the identity on the application pool used by your site in IIS. On a Windows 2008 server, the way I usually do this is grant the user read permission to the root folder to provide read permissions to the entire web site. Then I grant it write and modify on the /App_Data and /Data folders. Then I go back to the root folder and edit the permissions again and check the box for deny write. It may be different in your environment and shared hosting will typically have some kind of web page for managing permissions. In some hosting it may not be possible for you to tighten down the file system access as much as you would like.
Note that in the example above NETWORK SERVICE is the user that is the identity on the application pool, so that is the user whose permissions are being set. It may be a different user that is the identity on your application pool. Whatever user is the identity on your application pool, that is the user who needs permissions.
Remove Script and Execute Permissions from Writable Folders
The two folders that are writable should not allow executing scripts or executables. If a user somehow manages to upload a malicious script or file, we don't want the web process to be able to run the script or execute the file.
To do this in IIS 7.x
In IIS, in the left pane, click the plus sign next to your site to show all the folders, then click the Data folder
In the middle pane double click "Handler Mappings"
In the right pane click "Edit Feature Permissions"
un-check Script and Execute, then click OK
In the left pane click the App_Data folder
Repeat steps 2 through 4 on the App_Data folder