I am searching for a great, general group of permissions that will permit uploads through the IIS_IUSRS account, automatic updates, etc., without simply granting modify/write use of IIS_IUSRS for the whole site.

Minimal permission needed is perfect for the IIS account to possess read permissions around the /wp-content/uploads/ folder and browse permissions around the relaxation. This can however not permit the user to set up plug ins, make use of the theme editor or install any WordPress updates.

To be able to allow wordpress plugin installs you have to provide the IIS account write permission towards the /wp-content/plugins/ folder. To permit the employment of theme editor you have to the IIS account write permissions around the /wp-content/themes/ folder.

To be able to permit the consumer to set up WordPress updates you have to give read/write permission around the root folder in which you installed WordPress. This is actually the least secure option but however the most typical method to do the installation.