I should note that I’m not really familiar with Perl running on IIS, but I believe what I have to say should apply to it since it’s a fairly fundamental part of IIS.
Generally anonymous requests to IIS run under the identity of the account set up for the anonymous user on that web server. This is actually done by the system account (or other high-privilege account having the SE_TCB_NAME priv) impersonating the identity of the anonymous account. If the client is authenticated then, at the start of the request, the IIS worker thread will revert to its real identity, then impersonate the account that the client authenticated with.
This means that if your clients are authenticated using either basic authentication or using the IIS integrated authentication then any script they access via the server will run on that server under the security account that they authenticated with.
This does require the IIS server to be part of the same domain / AD structure as the users.
On older (IIS4 and early IIS5) you could use an in-process COM component that called the RevertToSelf API (in advapi32.dll) followed by LogonUser and ImpersonateLoggedOnUser to change the security context that the script was running under. I’m pretty sure this no longer works (and was, anyway, a pretty egregious hack that I absolutely never, ever used in a live environment. Not once. Honest)
I’m not sure that running scripts under a security context specified at runtime is possible with IIS6. I’ll have a poke around and see what I can find.