What is the simplest way to secure internal WCF 4.0 REST Services between WebServer and ApplicationServer?

I have a number of WCF 4.0 rest services on an internal application server which are accessed from a DMZ开发者_运维百科'd public facing web server. Essentially I am looking for the simplest way to restrict access to the services to calls from the web server and select internal accounts. It seems like a simple task of which I can find no simple answer.

Info:

• IIS6 for both the web server and the application server
• .NET 4
• Web Server is not a part of a trusted domain
• REST Services are 100% code.
• Client calls are passing credentials via System.Net.CredentialCache.DefaultCredentials ( not sure if this is the way to go )

For the network part, you can disallow all IP's except the one of the ones you trust in IIS.