>My recomendation would be, for a web ap, since the users never actually connect to the database, to use a single SQL Login (SQL server or Nt server doesn't matter)
which has db_owner access to the data (or SPs) and control the user login/secuirty at the application level.
>
>BOb
I'm going to strongly disagree with you here Bob<s>. IMO, the user that the application uses should not be a member of the db_owner database role. It should have EXECUTE permission to the procs and the procs should be owned by dbo.
Security by Least Privilege
-Mike