nc said:
I'm fairly clueless as to why these accounts are needed. I see the
explanation in the account properties, but my question is, does every
server in the domain need to have one of these user accounts?
These are the "anonymous" accounts for an IIS server. Usually
they are local to the SERVER where IIS runs unless you are running
IIS on a DC in which case the only place to create them is in the
domain database.
IUSR is used for "reading" content and IWAM for running processes
on the server -- this split it designed to increase security against
attacks.
You can delete the account from AD (or a server) IF you disable IIS
on a DC (or a server) OR you will never allow for anonymous access
to ANY content.