I'm trying to figure out how a user is able to access our database via webpage but isn't in any group, that I know of, that has access to the group.

I'm not familiar with security for either of these, SQL Server and ASP.Net.

For the webpage, which is built with ASP.Net, we use the following connection string: Data Source=[ServerName];Initial Catalog=[DatabaseName];Integrated Security=True

We have a user in the SQL Database 2005 for NT AUTHORITY\NETWORK SERVICE.

Where would I check in IIS 6 on a Windows 2003 R2 box for permission to access the website?

If more information is needed, please ask.