By default each application pool in IIS 6.0 (hosted in windows 2003) is supposed to run in one worker process (w3wp.exe). Unless you activate web gardening to serve your application by multiple worker processes, there is only one and one process serving all the requests to one application pool.Well, you may ask that if there is only one process then what is the boundary between all these applications in the same application pool? (Good question!!)
Although the code for all applications resides inside one process, the unit of isolation is the .NET AppDomain..Net Application domain acts exactly like a process in OS and is both a container and a boundary. If there are classes with shared or static members, each AppDomain will have its own copy of the static fields – the data is not shared. The code and data for each application is safely isolated and inside of a boundary provided by the AppDomain. The main way to communicate between AppDomains (like any other Cross-Boundary scenarios) is to use .NET remoting.
If you look at msdn , you’ll see that AppDomain Class inherits MarshalByRefObject which makes it accessible across application domain boundaries through the use of remoting.However there is a security caveat to the concept of using AppDomain as a boundary which is the fact that each ASP.NET application is run with full trust by default and if hosted by AppDomain, then security threat becomes more serious as AppDomian is not really a secure boundary and it is hosting a full trust code as well ,so a native code can be injected into it and get an access to all unmanaged resources.