I'm designing an IIS/MTS/SQL7 application with some complex data access
security requirements. Would it make more sense to encode this in the
business logic layer or the data access layer?

Access is driven by business rules; but on the other hand, it might make
more sense to implement this deeper, in the data access layer.

Any thoughts?