BUT, what did I just do here?

但是，我刚刚在这里做了什么？

You are now running your website under the identity of the client user.

您现在正在以客户端用户的身份运行您的网站。

Is there any security risk?

是否存在安全隐患？

That would depend on the permissions that this account has on the server. Usually it is bad practice to run a website with accounts that have lots of privileges. Ideally you should configure your website to run under an account that you explicitly grant privileges to the required folders.

这取决于此帐户在服务器上的权限。通常，使用具有很多权限的帐户运行网站是不好的做法。理想情况下，您应该将网站配置为在您明确授予所需文件夹权限的帐户下运行。

The problem with your approach is that if another user that doesn't have access to the specified folder visits your website, it won't work for him. If on the other hand this is expected behavior then you are probably fine by impersonating user identities.

您的方法的问题在于，如果另一个无权访问指定文件夹的用户访问您的网站，则该方法对他不起作用。另一方面，如果这是预期的行为，那么您可以通过冒充用户身份来解决问题。

Did I grant anonymous access to my website for everyone?

我是否允许所有人匿名访问我的网站？

No, this has nothing to do with authentication.

不，这与身份验证无关。

What you have done is given user rights to work under logged in user.

您所做的是授予用户在登录用户下工作的权限。

And there is a security risk for making impersonate true.

并且使模拟真实存在安全风险。

If you are on production, I would recommend you to read this article http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

如果您从事生产，我建议您阅读这篇文章 http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

"Using impersonation in the web.config allows you to override whatever identity was configured for the Application Pool the app is running under - it's just a more fine grained method to control identity ( on the app level vs. the ApplicationPool level), so you could have two apps run on the same AppPool, but one of them uses impersonation to use another identity." courtesy: App pool identity versus impersonation identity?

“在 web.config 中使用模拟允许您覆盖为应用程序运行的应用程序池配置的任何身份 - 这只是一种更细粒度的方法来控制身份（在应用程序级别与应用程序池级别），因此您可以在同一个 AppPool 上运行两个应用程序，但其中一个使用模拟来使用另一个身份。” 礼貌：应用程序池身份与模拟身份？