Regarding # 1:
Typically you would create a user for the database that is recognized as the "application" and specify those credentials. The "application" is acting on behalf of the users.
Or to restrict access at the database level, you would not specify credentials in the connection string and use the "impersonate=true;" option in the connection string instead.
Regarding # 2:
You can restrict access to specific users in the web.config via the allow and deny nodes, for instance:
<system.web>
<authorization>
<allow users="MyCompanyDomain\John.Deere,MyCompanyDomain\Jane.Doore"/>
<deny users="*"/>
</authorization>
</system.web>
This only allows two users in and denys all others. You can also specify Active Directory Groups as well.
Read more here: http://msdn.microsoft.com/en-us/library/acsd09b0(v=vs.85).aspx