The xsn file is the form.  Without it, they can't open the form.  This is a
problem with any two-tiered application.  If the client makes it's own
connections to a database, the connection string must be there somewhere.

This would be true of any client application that makes it's own connections
to SQL Server.  I use a web service to talk to the form, and the web service
makes the connections to the DB (after it authenticates the request, and
check the role for authorization).

Regards,
Mike Sharp

You can create a webservice which pulls the connection strings, and then update the connection properties of your data sources in code, and manually query.

XSN file contains database connection strings. So it is
not acceptable to allow user to downlad my xsn file. How i
can restrict users to not download my xsn file? They
should not to see data connection strings. Is there any
advice for this?

How can i make my infopath forms secure?

Thanks.