I still think Windows authentication is more secure. At the very least people do not have to remember a second login, and you aren't storing a login in the web config.

There are 2 ways I know of to get IIS to work with Windows Authentication:

1. Make sure you are using Kerberos authentication. K. Brian Kelley has a good article on this site for setting this up. Using Kerberos allows for multi-hop authentication, so your web app can run under one account, but pass the connected users windows credentials to SQL Server for authentication.

2. A simpler way is to have the app pool your web app is running under use a domain login that you grant the appropriate database rights to. The issue with this is that you can't see the actual user that is using the application, you always see the application account.