Well, no, sorry to confuse. You can run a very complex website on IIS without requiring additional CALs if the website does not provide access to any Microsoft servers on your network.
If you are providing access to your
customers through IIS, then you don't need to get any additional CALs
if and only if they do not need to be authenticated against a user / device account in your network or on the local Windows Server SAM.. So if you are running a 3rd-party application that has its own user database, you do not need additional CALs.
If you are providing your customers with access to resources located in your physical network (i.e. they need to authenticate against Active Directory, or a local user account on a particular server), then they would need CALs.
If your host OS AND your VM OS are both Windows Server 2003 Standard, you will need two Server licenses if you are working with old Server 2003 licenses. If you have not yet purchased a license, you can buy a Windows Server 2008 Standard license which allows you to run one (1) VM as well as the host.
You should ignore the whole host-routing-traffic-to-the-VM notion. If you have two installs of Windows Server 2003 Standard, you need two licenses, basically.
For your database server, if it is running Windows Server 2003 Standard, you will be fine with the included 5-CALs if the only system accessing it is going to be your front-end web server.
This link should provide most of your answers:
http://www.microsoft.com/windowsserv...q.aspx#extconn
For future planning, when you move to VMWare ESX Server, you should plan on buying a Windows Server DataCenter license for your ESX Server. The DCE license is licensed on a per-processor ("socket") model, and is more economical to buy if you intend on running more than 5 Windows Server Virtual Machines on the ESX system.