>1. Security - I have experimented with forms authentication and this seems to work well, but is this sufficiently secure for an application working over the internet?<

I am not sure what you mean by "sufficient." Nevertheless, forms authentication works well for securing resources (web pages) owned by ASP.NET. Keep in mind that by default forms authentication will not protect resources not owned by ASP.NET (e.g. PDF files, XML files, JPGs)

You should also try to protect login credentials with SSL and limit authentication cookies lifetime (do not create persistent authentication cookies.)

I don't know if there was (or will be) a DevDays 2004 event this year near to where you are. But the main focus of the web track in DevDays 2004 was security. You might want to find out.