Yep, I've done it. It can work great. It requires a lot of discipline, but you can do it. I've written a couple[/url] of articles[/url] on it (although they're a little long in the tooth at this point) that should help a bit. I think there might be a post or two on my blog as well.
The hardest part is getting everyone to agree that all deployments of all database objects have to come out of source control. The developers, usually, get on board quickly. It's everyone else, DBAs, testers, management, that have issues with this. The other trick is picking a method for setting up security. I show how you can do this using compound projects, but I've found when your projects get really big, or the number of environments gets to be more then three or four, this approach breaks down. A more resilient method is to use post deployment scripts with big IF statements to deploy different security for different environments.
Other than that, you can automate the entire thing.
An alternate choice these days, is Red Gate's SQL Source Control.
I wrote about both in the Red Gate Team Development book[/url]. It might be worth a read.