Locking down IIS APPPOOL account locks out local administrators except for the BUILTIN\Administrator account

In a nutshell,

we have been locking down the IIS APPPOOL account used by an Internet facing web application. The  IISAPPPOOL account by default belongs to a number of mandatory groups when the security token is injected into the w3wp.exe process:

  Token contents:
    User:
      IIS APPPOOL\XXX XXXX XXXX
    Groups:
      Mandatory Label\High Mandatory Level             INTEGRITY
      Everyone                                         MANDATORY
      BUILTIN\Users                                    MANDATORY
      NT AUTHORITY\SERVICE                             MANDATORY
      CONSOLE LOGON                                    MANDATORY
      NT AUTHORITY\Authenticated Users                 MANDATORY
      NT AUTHORITY\This Organization                   MANDATORY
      IIS APPPOOL\XXX XXXX XXXX LOGONID,MANDATORY

      BUILTIN\IIS_IUSRS                                MANDATORY
      LOCAL                                            MANDATORY
      S-1-5-82-0                                       MANDATORY
    Privileges:
      SeAssignPrimaryTokenPrivilege                    DISABLED
      SeIncreaseQuotaPrivilege                         DISABLED
      SeAuditPrivilege                                 DISABLED
      SeChangeNotifyPrivilege                          ENABLED
      SeImpersonatePrivilege                           ENABLED
      SeCreateGlobalPrivilege                          ENABLED
      SeIncreaseWorkingSetPrivilege                    DISABLED

What this means is that anyone who can execute code on the web server (i.e a hacker) has potentially access to the operating system files and processes via their membership in the Users and Everyone groups courtesy of the IIS APPPOOL security token.

So to prevent this we have removed the permissions on the root folders and all child files and folders of the Everyone and Users groups for everything but the web root (When you do this the OS security UI complains if you try to do this the Windows and windows\system directories). The Administrators group is left untouched.This has now locked down our web server and the IIS APPPOOL inherited permissions to our satisfaction and all applications behave as required.

However a side effect of this security lockdown is that any local administrative accounts on the local machine (there is no Domain security)except the BUILTIN\Administrator default account now have no read write or execute permissions (Access denied") which is not what we would expect. This is despite the administrators belonging properly to the Administrators group and the Administrator group being correctly set non files (After all The default Administrator account works as expected.).

Any suggestions on how to give back Administrative privileges to non default administrative accounts without having to reinstate the Authenticated User and Everyone group permissions.?