Thanks, Rick - that clears it up for me...

>Hi steve,
>
>I desktop apps this is generally true, but for Web applications using a trusted connection is a problem because you have to assign the ASPNET account the trust. Compromise that and you're in trouble. Now I personally think that if you have compromised that account you're in trouble anyway, but this is the way the thinking goes. Also if you host more than one site or app on the same box for differnt people you pretty much have to resort to using SQL Auth.
>
>That said, if the server is all under your control and you don't plan to share then you can safely use ASPNET. Otherwise you have to think about using a connection string.
>
>
>
>>>I wouldn't recommend adding the ASPNET account to the server but rather use a specific Login and use that login in the connection string to access the database.
>>
>>This begs a question, Rick - Doesn't this suggest that you are using SQL Authentication instead of Windows Authentication? My understanding is that this is a much less secure authentication method, and since the database server may be handling databases other than the one being accessed by the web application and the authentication scheme is established at the server level, you'd have to live with mixed-mode authentication for all hosted databases.
>>
>>If (for whatever reason) we choose to use Windows authentication, how do we specify the account under which IIS (or our web app) is running for the purpose of authentication?
>>
>>Thanks.