Yes, Web applications that I see these days all seem to use a single generic login which is stored, hopefully encrypted, into web.config.

Shouldn't the SQL 2005 implementation of application roles permit these web app developers to use integrated authentication? I guess that depends on the app as well - guest users coming from www won't have domain accounts.