The user that is the identity on the application pool is the user that needs file system permission (full control on /Data and /App_Data and read on all other web folders and files).
You can look at the properties of the application pool from IIS to find the identity. In some cases it can be confusing if it is configured for iusr group, one solution to simplify things is to change the identity of the application pool to the existing user NETWORK SERVICE then give the NETWORK SERVICE user permission as needed.
However it may be better to create a new application pool with identity of NETWORK SERVICE and then configure your site to use that app pool to avoid any side effects on other sites that may also use the existing app pool.
Hope that helps,