@blowdart: question, if you don't undo the context in the catch aren't you falling in the security hole mentioned here http://blogs.msdn.com/b/shawnfa/archive/2005/03/22/400749.aspx? (another code can catch the exception and run as the impersonated user), or in this case it doesn't matter because is a web page that cant be called by someone else?