When we shipped Commerce Server 2007, we began supporting ASP.NET Authentication for SQL Authentication and ADFS for Windows Authentication. In fact, this became the preferred and directed method to handle site authentication for Commerce Server. The legacy ISAPI authentication filter was maintained for backward compatibility, but was marked as deprecated. This story did not change for Commerce Server 2009.
For the next version of Commerce Server, we are proposing to remove the legacy CS2000/CS2002 ISAPI Authorization filter entirely, effectively forcing you to use ASP.NET Authentication or ADFS.
If this will cause you a problem, please let us know on our CS2009 MSDN Forum post - http://social.msdn.microsoft.com/Forums/en-US/commserver2009/thread/13c3ad67-b1fb-475c-8c88-75709f87dc9b?lc=1033