I use integrated Windows Authntication on my intranet. There
is a checkbox for it under IIS.
This allows the uername to be visible to CF using the
#cgi.auth_user# variable.
As for security, I maintain a data table with each username
and appropriate permissions. In my application, I merely confirm
that the currently logged in user is authorized for given areas of
my site.
Works great. The only real caveat is that some places might
aruge that you are not verifying that the person behind the
keyboard is really the person currently logged into that particular
machine on the network. My defense is that this scenario is the
responsibility of the currently logged in user, rather than the web
developer. Your environment may dictate more stringent criteria or
verification.
BTW: My implementation has passed muster with our security
audits in the medical field for the last eight or nine
years.