There are really 2 methods to do this:
1) Use SQL server authentication. Create a SQL user and use a connection string in the following format for SQL 2012:
Server=myServerAddress;Database=myDataBase;User Id=myUsername; Password=myPassword;
2) Use mixed mode authentication and authenticate as a Windows user. Your connection string would look like this:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;
You'd first go onto the web servers and create a Windows user. Remove it from the domain users group.
Then you'd go into SQL, add the user you're trying to connect with to the list of users, then grant read/write to the database you're trying to access.
If you go with this method, you'd set your app pool to run as the user you created and then add that user to the IIS_WPG group if you're running Windows 2003 or to the IIS_IUSRS group if you're running Windows 2008 or later.
Either one of these methods are perfectly acceptable. If you're running the webservers in the DMZ (not in your Windows domain), you'll want to go with option 1. If the webservers are in the domain, some would argue that option 2 is marginally safer because you're not storing the password in plain text, but you could still do option 1 if you felt like it.
Also, here's a pretty good site with a list of formats of connection strings for various versions of Windows/.NET/SQL: