A question if I may on your security design...are you saying that users will log in to your application and that that login will not be validated in SQL?
Does that therefore mean that you are using some form of hard-coded application ID to connect to SQL when you need to?
Have you considered someone using Excel next to your application and connecting directly to your SQL Server to pull data out?
Sorry if I'm going off at a tangent, but I'm curious.
Simon