So I "think" I got this to work. I created a local group on the box, added a
domain group (with the web developer domain accounts in it) in to that local
group , then gave the local group full control over everything in the
metabase. I also gave them permissions for the web extensions and app pools
Unfortunately, you can't just set it at the top and tell it to propagate
down, you actually have to set each folder in the tree.
I also had to launch IIS and make sure that the local group had permissions
on each web site that they needed to access.
This will allow my developers to update the sites.
I also gave them full control of the webfolders that they are admins of so
that they can update web content.
Full control of the Inetpub,system32\ Inetserv, microsoft.net and read
access to the IIS logs folder (wherever they've directed them).
The file permissions I have set by GPO (since I have about 8 web servers
that have the load-balanced web site on it) I am looking at copying the
metabase setup by GPO also, so that I can set it on one server, copy the
metabase and then deploy that by GPO.
My developers also created special services for this box and a special event
viewer, so I had to give them permissions to stop, start and delete those
services (along with start/stop for the WWW service) and the ability to clear
that special event log. If you need this info too, let me know and I can post