Different hints for you :
- You can push Application by mail using Publisher
- You can publish Ajax applications, and rely on IIS authentication like other webapps.
- If you have identified sales people, you may restrict QVServer port (default 4747) to some mac address by firewall settings
- You can work with the DMS service to identify users by different ways (changing password SecureId cards,...)
But the truth is that Internet is public, and all softwares may have "holes" (as you can see with browsers security patches). So showing data thru the net is always a risk, and i'm quite sure no editor will guaranty total safety...
In our country, the QlikTech license contract says that they guarentee that software is conform to the documentation and no other warranty, and you accept to use it "as it is".
If security is an important matter, I recommend you to ask for professional services at Qliktech to best implement your concerns.