It depends on your security expectations. Typically, a login from an application doesn't have read/write, they ONLY have execute permissions to procedures, and inherit what they need from the schema owners.
The reason for this is tiered security, and comes from the following line of thinking. If a hacker cracks your login for the website (Either SQLLogin or AD), they have exactly as much ability to affect the database as they did before from the website... unless the website was sanitizing inputs for dynamic SQL, then the hacked login can pretty much do whatever the hell it wants.
DBO for the app owners is a convenience thing. It means they don't have to give sysadmins a separate SQL Script for upgrades and the like and their application can send down the DDL and DML during the installation with its already pre-built security logins. It's bad form, usually.
And to answer your question, yes, every one of my procs has a tail that looks like this:
GRANT EXECUTE ON <schema>.<procname> TO <DBRole>
GO
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA