Parts of this post are taken from: https://www.helicontech.com/isapi_rewrite/doc/security.htm – these worked to resolve issues I was having with Plesk with custom sites but not with WordPress sites, which also required the plugin listed below.
Automatic installation of ISAPI_Rewrite on a clean default Windows system does not require any permission tweaking. But installing of some other products like Plesk, IIS Lock Down Tool, etc. may tighten server security and prevent ISAPI_Rewrite from correct operation. Here is a list of premissions required by ISAPI_Rewrite.
On Windows 2000, Windows XP and Windows 2003 in IIS5 compatibility mode filter runs in the inetinfo.exe process under the System account. Thus System account should be given at least Read and List Folder Content access to the folder locating ISAPI_Rewrite installation files. We also recommend giving System account general Modify permissions on this folder. That will allow creation of log files containing parse and other errors. The same permissions should be given to any web site folder containing .htaccess files or ISAPI_Rewrite will be unable to load and monitor it.
Pay special attention to any Deny permission settings on ISAPI_Rewrite installation directory because in Windows OS Deny permissions override any Allow premissions records.
On Windows 2003 in native IIS mode (WPI mode) and Windows Server 2008 both the filter and the proxy run in the w3wp.exe worker process corresponding to an application pool hosting particular web application. Each application pool could be configured to use its own identity. This could turn permissions configuration into a tricky task. However in a correct IIS configuration each used identity should be a member of IIS_WPG group. So, IIS_WPG group could be used instead of System account to assign required permissions as noted above.
On Windows Vista permissions configuration is almost the same as Windows 2003 configuration except that there is no IIS_WPG group there. So, all WPI accounts (usually NETWORK SERVICE is the only such account) should be given required permissions.
Additionally for proxy function to work you will need to enable at least “Scripts only” execution permission in the properties of web site or web application which will be running proxy.
There’s a handy plugin for WordPress + ISAPI_rewrite at https://wordpress.org/extend/plugins/isapi-rewriter