You do have some options and one of of those is impersonation as you mentioned. However, another one I like to use and have used in the past is a trusted service call. Let's assume for a moment that it's always much safer to limit access through IIS to ensure there are as few holes as possible. With that let's go down this road.
Build a WCF service that has a couple of entry points and the interface might look like this.
public interface IDocumentService
public string BuildTrustedRelationship(string privateKey);
public byte ReadFile(string token, string fileName);
public void WriteFile(string token, string fileName, byte file);
Now, you can host this service via a Windows service very easily and so now all you need to do is on
Application_start build the relationship with the service to get your token and you're off to the races. The other nice thing here is that this service is internal, trusted, and I've even hosted it on the file server before and so it's much easier to grant permissions to this operation.