I am trying to put together a design for an application and am having trouble understanding the security design needed. If I were to adopt a design similar to that described in the "Walkthrough: Creating a Distributed Application" (found on MSDN under Visual Studio Walkthroughs), I cannot figures out how to carry the users security credentials through all the tiers. My complication is that though the servers run Windows 2000, most if not all the workstations run Windows NT. For this reason, I cannot use Kerberos and, if I have a three-hop design (client on the workstation, web services on a web server and then the data on yet another server), I believe that I cannot use impersonation and delegation to persist the users identity through to the database.

Can anyone provide me with some guidance as to how to handle the last hop. Also, of some importance are two requirements of the application that affect security concerns. One, all user are not created equal - some users will have edit ability in some sections but not others. Two, I need to be able to write data to the client hard disk, at least temporarily, in order to use Office interoperability.

I need help here.

Dennis