Hi Ken,
Your assumptions are basically right. If you use integrated security on the connection string the account being used will be the same as the application pool that is running you code, if your code is under the CRM Web App (ISV folder) it will use the CRM Web App Pool credentials which by default are the Network Service.
Anyway, when you do the CRM setup the logins on the SQL Server are created even if you have a separate SQL Server Box. Check on you SQL Server box if that is the case.
Another thing that you should account for when working with IFD, is that the sql query is going to run under the account mentioned and not under the user account so the CRM security will not work properly with the Filtered Views. You should use impersonation on the queries by adding before the query a statement like "
Execute as Login=..." more info here http://blogs.msdn.com/crm/archive/2008/07/08/accessing-a-sql-database-from-a-microsoft-dynamics-crm-plug-in.aspx
The web service approach will work as well.
Hope it helps
Marco Amoedo - http://marcoamoedo.com