I'm wondering what the best and most secure practice is when it comes to creating a login-script for user to a website. The site will hopefully get a substantial amount of hits, and the content needs the highest level of secutity. The box I'm setting this up on is a Windows 2000 NTFS with all the latest servicepacks etc. and SQL Server 2000 as the database. As I see it I have two options:

1. Create an asp login script that uses sessions for authentication, with usernames and passwords in the sql-server database. This will be fairly easy to create and maintain but I'm not so sure about how secure it is and how many users it can handle.

2. Setting anonymous logon to my site off and create some script that manages Win2k user accounts so that each website user is actually a user on the box aswell (with very limited access offcourse).

I have a better feeling about the second one, but I'm not really sure what I should to do. Security is at the essence here, so I would prefer the most secure solution even if it means more work for me.