I current have a COM+ object running under a Privileged account which
performs sensitive operations. A webpages front end is setup to access this
object. The web server is set to impersonate the current user and all the
security checks are preformed within the webpage code. The com object
security is set to a security group which all users accessing the webpage
are in.

The question I have is do I have to do all the security checks I do in the
front end webpage again on the COM+ object? My worry is if some how one of
the users could bypass the front end and get directly at the COM+ object.
The box would be locked down but it that enough? Any help would be
gratefully I cant seem to find any best practices for this situation.

Thanks
Bill