However, this is a perl CGI script running on IIS and it won't let me do that for security reasons. Therefore, I need to do it through Perl. Can this be done?

What makes you think that a Perl script would be able to do it, if the system utilities can not? The Perl script would be running under the same user ID and so be subject to the same restrictions.

Let me say that having your webserver grant Everyone execute permissions on (presumably uploaded) files seems like a recipe for disaster. If you do this, and get hacked as a result, be it on your own head. You are warned!

Like you, I've had trouble with both the modules you tried. They do not preserve the explicit ordering of ACLs. Ie:

Explicit denials
Explicit grants
Inherited denials
Inherited grants
[download]

Unless you arrange to do this yourself in your perl code, that can cause significant troubles. Even cacls.exe got that wrong! (X|I)cacls get that right for you.

If you really need to have this initiated by the CGI, then I would seriously consider writing a "permissions server" that: opens a port; only accepted connections from the local host; runs under an account/group with just enough authority to run (X|I)cacls to achieve your needs.

But once again, please think very carefully about granting execute permissions to uploaded files.

You asked "what makes you think that a Perl script would be able to do it, if the system utilities can not"? The answer is because as stated in the original post, the commented line that sets the permissions works. It just replaces all the permissions with what I set and that is not desirable. I just can't figure out how to modify the existing permissions. I have security taken care of so that is not the issue. The issue is can Perl be used to modify existing NTFS permissions? I'm beginning to think it just isn't possible and that is certainly disappointing.