hi this is a new area for me so I have a few questions please.

firstly, what is the difference between a HttpHandler and a HttpModule as Im not sure?

next my problem. I have 2 webservice .asmx files on my web server. they both implement custom SOAP header security. however one of these web services I also want to limit access to just the local network. I am told I can do this using a HttpModule to check the IP address of the Server requesting the resource. this request should only be coming from one server on our network so this seems like it might work.

does this seem like a good way to achieve my objective here? what about IP spoofing? any advice much appreciated. 

An HttpModule provides additional processing functionality as a request is passed through the ASP.NET pipeline on its way to an HttpHandler (and on the way out as well, if needed).

An HttpHandler is the end point of a request.

So modules are typically used for security, caching, URL rewriting and so forth. Handlers serve up chunks of data, such as page content, images, etc.

You can use an HttpModule to provide a level of security, but as you rightly point out someone might try to spoof an IP address. A more secure option would be to use encryption using asymmetric keys. You might want to look at WSE to see how this is currently supported on the .asmx stack.