It depends on your application. Several intranet application use Windows or Active Directory for Authentication, Almost every internet application will use FormsAuthentication or a variant thereof. FormsAuthentication will handle storing the user name for you.
What you are discussing is Authorization...what parts of the application can a person get to once they are authenticated. There are number of ways to do this, role based authorization is usually the best way to go. Each role would be able to access certain pages. This check is generally in the Page_Load event for that page, or built into the web.config files...there are other ways but I think those are the most popular, you could make it part of your Authenticate_Request event too, I've seen that pretty often but it's not a preferance of mine to mix authetication code with authorization code, but again it's a preferance not a rule.