When writing pages or web parts for Sharepoint (or indeed just ASP.NET) their are 3 security identity contexts to take into account.

1. Process/Thread Identity

This is the identity returned by calling WindowsIdentity.GetCurrent(). If ASP.NET impersonation is not enabled the identity returned will be the process identity (that of the IIS Application Pool). If ASP.NET impersonation is enabled the identity returned will be the thread (impersonation) identity of the currently authenticated user (or the anonymous user).

Calling WindowsIdentity.GetCurrent(true) will return the identity of the thread (impersonated) user only if impersonation is enabled, otherwise it returns null. Calling WindowsIdentity.GetCurrent(false) or WindowsIdentity.GetCurrent() returns the identity of the thread (impersonated) user if impersonation is enabled and if impersonation is disabled the identity returned will be the process identity (that of the IIS Application Pool). In this way you can determine whether your ASP.NET application has impersonation enabled. ASP.NET impersonation can be configured to impersonate the currently authenticated user (or the anonymous user), or impersonate a fixed “Application” identity.

2. ASP.NET User Identity

This identity is the ASP.NET user identity which is returned by calling Context.User.Identity. This is the identity of the currently authenticated user (or the anonymous user) making a HTTP request. Depending on how ASP.NET impersonation is configured it may be different from the process/thread identity.

3. Sharepoint User Identity

This identity is the Sharepoint (2007) representation of the ASP.NET user above, and is returned by calling SPContext.Current.Web.CurrentUser.