Something I keep forgetting.
IIS on 2008R2 has created a special class of user to represent the security principal for code running in an app pool.
In the IIS manager the Identity is shown as ApplicationPoolIdentity. The actual user for an application pool, say the ASP.NET v4.0 one is IIS AppPool\ASP.NET v4.0
ie the source is “IIS AppPool” and the actual user name is the name of the app pool.
So if you are using windows integrated login with Sql server, on 2008R2 you can set up a login as above, but type it into the Login creation dialog, don’t use the search function, it will replace the “IIS AppPool” with your server name …. or I guess you can use it use it to confirm the login name if you remember to change the source part of the login back after searching.