Bob Beauchemin posted an interesting look at SQL Server's 2005 SOAP support features here (Least privilege and HTTP endpoints). What I found the most interesting in it was this:
...When you create an HTTP endpoint, SQL Server issues a "namespace reservation" for part of the HTTP namespace. The reservation is used when other applications (like IIS 6.0) use the HTTP.sys implementation at the same time. It attempts to issue the reservation *using the identity of the principal this is running the SQL Server process*, not as your currently logged on user.
Bob goes on to talk about how to make the reservation.
There's another thing you want to remember when using these services. If you're calling them with Windows Integrated Security, it should "just work." But if you need to call them using a standard login context, you'll have to pass those in as WS-Security headers in the SOAP headers.
I'm getting more and more interested in the the SOAP feature and its good to see that MS is taking steps to them more bulletproof from a security POV.