I want to use a user account for the Application Pool. Does this account needs to have administrative rights on the Web Front End (WFE) server?
Absolutely not. First make sure that the account is a domain user account. For example, you can use the same account that you used for the WSS 3.0 service. The account does not need to be a member of any particular security group. In fact, make sure that the account is not a member of the Administrators group on WFE or the back-end database server. All you need to do is ensure that the domain user account has the rights only to the database and no other service on the server. Remember to specify the user name in the DOMAIN\Username format.