Both in SharePoint 2007 and SharePoint 2010 policies can be defined where you grant or deny permissions to specific users on Web Application level. This overrules any permissions the user may or may not have on a Site Collection, Site, List or Item level.
For example: the Search Crawl Account (Content Access Account) will be given Full Read on all Web Applications to ensure all content is indexed.
In this section you have the option to check “Account operates as System”. This effectively hides the real user name and masks it as “System Account”.
Only for Windows Accounts
During experiments with Forms Based Authentication (in SharePoint 2010 through Claims Based Authentication), I found that while it is possible to give policy permissions to a non-Windows User, it is not possible to make it “operate as System”.
The SharePoint Logs confirmed that the underlying mechanism is really looking at Windows User Account Management to perform the lookup:
System.ComponentModel.Win32Exception: i:0#.f|fbamembershipprovider|demouser1 at Microsoft.SharePoint.Win32.SPAdvApi32.LookupAccountName(String strAccountName, String& strDomainName, SID_NAME_USE& sidUse) at Microsoft.SharePoint.Administration.SPPolicy.set_IsSystemUser(Boolean value)