IUSR should remain as the anonymous user and I "think" it only needs read permissions anywhere, I never have had to change permissions for IUSR
The user that is the identity on the application pool is the user who needs permissions, NETWORK SERVICE is commonly used but it can be more secure to use a different user and app pool for each site with least needed permissions. So whatever the user identity on the app pool that is the one who should have read access to the whole web, and read/write/modify on /App_Data and /Data. If the user can still write to other folders after that then you can go back to the root folder and add deny write in file system permissions.
Hope it helps,