Scott Hanselman is writing on his blog:
The MSDN Docs are very careful not to recommend using impersonation it affects connection pooling when talking to databases downstream. The suggestion that one takes care when using impersonation has been in place since its inception. [...]
ScottGu has a good post on how to use declarative authorization to restrict access without impersonation. This works great with Forms Authentication and Custom Principals like we use at Corillian. Here's one of his examples: [...]
[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]
And AjaxPro is working with PrincipalPermissions, too. See the example web page at http://munich.schwarz-interactive.de/security.aspx. The same can be used to restrict methods for Roles or Members.