If IIS is configured for anonymous access and you connect to SQL Server
using Windows authentication, the IIS anonymous account (e.g. IUSR_MYSERVER)
is used.  Database object access is limited to the permissions granted to
this account or roles that this account is a member of.  If the IIS security
context is established using Windows or Basic authentication, then the end
user's account (e.g. 'MyDomain\UserA') is used.  You can execute sp_who to
determine the actual account used for the connection.

Permissions are required only on objects directly accessed by the
application as long as the ownership chain is unbroken.  With an unbroken
chain (all objects owned by same user), permissions on indirectly referenced
objects are not checked.  Consequently, if all your objects are owned by
'dbo', only execute permissions on the procedures executed by the
application are needed.  Note that dynamic SQL within procs breaks the
ownership chain so this is considered direct object access for security
purposes.  See Ownership Chains in the Books Online for more information.

Procs execute under the normal security context of the database connection.
However, as I previously mentioned, permissions are not checked when the
ownership chain is unbroken.