ASP.NET and IIS Application Protection

Just a quick note that IIS Application Protection settings in Internet Services Manager do not apply to ASP.NET applications. All ASP.NET pages are serviced through aspnet_wp.exe (which is already a separate process from inetinfo.exe).

Each ASP.NET application gets its own AppDomain in aspnet_wp.exe

(quote from discuss.develop.com)
I'll answer my own question to some extent. In machine.config, there is an undocumented processModel attribute called "comAuthenticationLevel". This attribute seems to set the the Call Authentication Level for aspnet_wp.exe at the machine level.