The reason it cannot read the config file is because the process running your web app does not have permission to access the file/directory. So you need to give the process running your web app those permissions.
The access rights should be fairly straightforward, i.e. at least Read, and, depending on your app, maybe Write.
Above, you mention IUSR etc. not being in the properties for web.config. If by that you mean that IUSR is not listed in the security tab of the file then it's a good thing. One doesn't want to give IUSR any kind of permission to web.config. The role IUSR is an anonymous internet user.
The file web.config should only be accessible through your application.
See the following links, Where they have already discussed this matter
the-requested-page-cannot-be-accessed-because-the-related-configuration-data-for[
^]
internal-server-error-the-requested-page-cannot-be-accessed-because-the-related[
^]