GetEnv() and WScript.Network both rely on Environment variables to obtain the user and domain information. How secure is that? Aren't environment variables easily created/destroyed/edited?

We're wanting to use the credentials with which the user logged in for our applications security so that the user does not have to log into their workstation and then turn around and log into our app. We've talked about pulling the information from GetEnv or WScript but if users can "tweak" environment variables then that would allow them to spoof other users, etc.

Any ideas?

Thanks for your help.