It’s fairly-obviously a permissions problem: the user-id for the web server is probably nobody, which for very obvious reasons “isn’t allowed to do squat!” Windows handles permissions somewhat differently, but the principle and therefore the essential problem is the same.
And of course, with regards to web servers you should be practicing the “principle of least privilege.” Web servers are built to respond to (unpredictable, and quite possibly malicious) requests from the outside world-at-large. You therefore want to strictly limit what they are capable of doing, touching, or even seeing. That way, if someone somehow clocks your server in the head and fools it into asking the operating system to do something really nasty, the operating system will say: “not only ‘no,’ but ...!!” And there will be nothing that the web server (nor the person who secretly took it over) can do about it.