You have to publish your web first. Once it is published,
open it in IE and click File > Edit with Front Page. Once
open in front page, click on Tools > Server > Permissions.
You can then set permissions from there. Be aware that if
you set permissions here it will set the for your entire
site. If you only want a select few pages protected you
must first put them in a 'subweb' and have that subweb be
protected.
I believe that it is the AD in W2K that authenticates each
user and yes, you would have to use a db for any other.
You would set up a db that checkes to see if the username
and password match and then would let the user in to the
page.