I can partially answer your question. For the password area scripting. One way that I have found most effective is to have an access number i.e. 2 for a user and store it in a database. Then when the login make a session variable equal that number.
So then for pages level 2 users and above can access you'd add this at the top of the pages:
<%If Session("Level")>2 then Response.Redirect("Login.asp")%>
So then if someone doesn't have a high enough access level it redirects them.
Am I making sense?