The subscriber either needs to be able to use an NT login that is valid in the publishing database, or you will need to use SQL authentication. Using SQL authentication will make this far easier for you to set up.
As far as the snapshot folder, if you manually set up the initial database, you technically never need access to the snapshot folders from the subscriber. You can set up and run merge replication without using the snapshot agent at all. In practice, this is typically not the way to go. You will usually want to be able to have the snapshot agent reinitialize your database as necessary or send schema changes to your subscribers. Luckily, you have the option during the wizard to use an ftp folder for the snapshot folder. You configure the publishing database to use a local folder on it's network and then publish this folder via ftp to make it available to the subscribers.
Securing this can be a bit of a trick as ftp is not very secure, but if you have someone around that knows a bit about web security, authentication can be handled through certificates.