What are the correct IIS and NTFS permissions for WSUS?

If you are installing WSUS on a Domain Controller, then all of the following permissions for "Administrators" should be "Domain Admins", and permissions for "Users" should be "Domain Users".

If you are using Windows 2000, the permissions for "Network Service" may be assigned to the SYSTEM account.

The permissions on the \Program Files\Update Services folder should be
    Full Control: SYSTEM, Administrators
    Read/Read & Execute/List Folder Contents: IWAM_ComputerName, WSUS Administrators
These permissions should be inherited throughout the ~\Update Services folder tree, with the exceptions noted below.

In addition, these subfolders of ~\Update Services
    administration
    service
    webservices
should also have:
    Read/Read & Execute/List Folder Contents: NT AUTHORITY\Network Service

The Common folder should have no inherited permissions and:
    Full Control: SYSTEM
    Read/Read & Execute/List Folder Contents: Users

The Logfiles folder should have no inhereited permissions and:
    Full Control: SYSTEM, NetworkService, Administrators, and IWAM_ComputerName

The selfupdate folder should have no inheriited permissions and:
    Full Control: SYSTEM, Administrators
    Read/Read & Execute/List Folder Contents: Users
and these permissions should be inherited downward.

The webservices folder should have:
    Inherited permissions for: Administrators, IWAM_ComputerName
    Full Control: SYSTEM, Administrators
    Read/Read & Execute/List Folder Contents: Authenticated Users, Users, NetworkService

The \WSUS folder should have:
    Full Control: SYSTEM, Administrators
    Read/Read & Execute/List Folder Contents: Users, NetworkService
and these permissions should be inherited to \WSUS\WSUSContent, but not \WSUS\MSSQL$WSUS

The \WSUS\MSSQL$WSUS folder should have:
    Full Control: Administrators
inherited down the folder tree