am I doing it right?

I'm finding I'm increasingly creating sites in a similar form and I'd
like to clarify if I'm doing it in the most efficient manner for
security management and generally a railsey approach.

I make a welcome controller and associated actions e.g.

./script/generate controller welcome actionname1 actionname2 actionname3
actionname4 actionname5

I then populate the views for all the actions in the welcome controller
with suitable content.

That's it for the front end.

Then for my backend <cough>, I use acts_as_authenticated and generate an
account model and a user or two.

I then create various other controllers generally with scaffolding and
secure them with a before filter (filter all the actions unless the user
is logged in).

That's basically it,

In my welcome controller views I generally access variables created by
the backend functions (for example blog entries or whatever).

Is my approach an "ok" one. After deploying my 2nd rails site I want to
make sure I've got the right idea before going on.

I use migrations, but I'm not testing yet, that's my next goal.