I'll try to provide a little more information here. Jill's response is correct - IIS is the host of our application services. However, I'll try to describe a little more about what that means.
We use IIS for a couple of purposes.
1) Management Reporter clients do not communicate directly with the database. Instead, they communicate with WCF web services that retrieve or update data from the database. IIS hosts these services in a worker process that performs all of the interaction with clients. That process runs as a user that can access and update the MR database without requiring the MR users to have access to the database directly.
2) When you configure companies within Management Reporter, the company configuration wizard uses ASP.NET pages. Again, this is done to prevent clients from directly accessing the database. Because we use ASP.NET, IIS is necessary.
I have a question about this security. When the Management Report Aministrator adds a Windows Authenticated new user in MR looking up the user from the entire Directory, and then assigns the Designer Role to the user and Access to companies is assigned,
the New User should be able to open MR, go to Company>Companies and set a Company as Default? Correct?