You should be very careful when changing the account that CGI runs as. You're giving anyone who finds a vulnerability in IIS, or your script, way too much access to your box.

There are safer ways to do this. One of the easiest is to have the CGI script write a flag file, or a row in a database table (if it already has DB access for something else) that tells a back-end process what to do. The back end then (a) has permissions to do things, and (b) isn't a script that's exposed to the outside world. Yes, you're writing two scripts instead of one, but the reduction in risk is worth it.