If you set your website's anonymous authentication settings to use the app pool identity then you only need to grant the app pool identity access, unless you have a section of the site that doesn't use anonymous authentication, in which case you need to also grant the authenticated users access. I recommend that configuration. It's refreshing to not have to manage an app pool identity account plus an anonymous account.
If you aren't writing to disk, just list/read is all that is needed. If you need to write anything to disk then you'll need to grant write permissions too.
For #3, if it's just 1 server, you can do it from IIS Manager and NTFS permissions. If you plan to script this for multiple servers, let us know and we can provide further details.