Providing you have physical access to the IIS server or at least you can get someone to make some small ajustments, you can easily secure the photos.
You can just create a virtual directory to a folder on your server with the images. And then just set the permissions in IIS under the VD's properties and then under 'Directory Access' to not allow anymous access.
The down side is that you either have to have an account on the domain/server for each person so they can login or and one account everyone uses.
This may not be the most ideal way, but it would work. It depends on things like if it is for an intranet or internet.
So then if someone types into their browser the direct link, the IIS authentication login window will pop up and if they don't have a valid username and pwd it won't let them through. Once they login, it won't show up again until their session timesout.