>Although, if the only account you made db_owner was with an NT account that ASP.NET impersonated which used NT Authentication to connect to the database, is there really a security issue?
Yes, if the account is hijacked through the application
>Isn't that kind of like saying, you shouldn't have any server admin eqivilent logins because they have access to everything?
Almost. It should be OK if the account is not exposed, especially to the Internet.
-Mike