Hey Andy, what will people win for reviewing one of my articles?? ;))
Some interesting points throughout the article. I run a range of sites where we utilise 3 db logins to a 300 table schema, each login basic segregates the model into into "subject areas" which are accessed via COM's at the business layer and are shared by 000's of end users who authenticate via active-dir. This model is very easy to administer, and the actual "user privs" to the applications screen components are managed "in-code" using a variety of tables. Auditing is throughout via triggers.
The only issue to watch out for is hiding the connectivity info, a text file INI is simply bad practice. I know of a few sites where hackers have gained entry to the server as a lowly user but gain access quickly to the DB as the INI has all the passwords to get in!
What I will say though, is that I do like to use win authentication for sysadmin access and rarely utilise the SA account.
Author of "SQL Server Backup, Recovery & Troubleshooting"
Author of "SQL Server 2k for the Oracle DBA"