Impersonation

To save network overhead, the Windows NT family was designed to impersonate a user
account context when it requests access to resources on a remote server. Impersonation
works by letting the server notify the security subsystem that it is temporarily adopting
the token of the client making the resource request. The server can then access resources
on behalf of the client, and the security subsystem validates all access as normal. The
classic example of impersonation is anonymous requests for web pages via IIS. IIS
impersonates the IUSR_machinename account during all of these requests.