Hi Mark,
It can be done, but it would require you to not use the user.config file and instead keep all of the settings maintained directly inside your web.config file.
You can encrypt any sections of Web.config including the <appSettings section where the db connection string with user and password are stored.
This post on stackoverflow has relevant links.
Hope it helps,
Joe