Actually, we *were* using AD security and just mapping a drive. We learned why they tell you not to make a web server a domin controller the hard way - when they changed permissions, the permissions were changed directory-wide.
So that's not an option anymore. I have been leaning towards WebDAV using SSL but I have seen most big hosting companies using FTP. I thought FTP sent login credentials in the clear.
One of the big reasons I like it is it's included in IIS. In many discussions I've seen on WebDAV people don't seem to trust it, but I've never seen why. I mean, I've seen security patches for it and all, but what part of Windows have they not had to patch up?