- In case Kerberos is used, this is the account that clients(such as IE) try to communicate with. This is why this account has be registered with a SPN for Kerberos authentication;
- In case you have custom code which need to hop to another server (SQL, File or any web service server), this account will forward login user credential(ticket in kerberos term) to the other server. This is why this account needs to be trusted for delegation;
- This is the account that sharepoint use to connect its own Content Database, which I bet is through a call RunWithElevatedPrivelege.
A couple other things I learn about web application pool account:
if you try to create an application from directly from IIS, you have to run:
ASPNET_regiis.exe -ga domain\pollIdAccount
if you use NetWork Service as pool id in window server 2k, you have to grant "Act as part of the operating system" privilege for impersonation to work. This is not necessary in Server 2003.
All application pool id should be in the IIS_WPG group which grant most permission they need. See here for a full list permission IIS built-in accounts have.