Erhan -
Your primary security objective isn't to protect your source code, it is to protect your customers' data. To that end, you have to make sure that A) your communication is secure (SSL) b) your code implements appropriate security (isn't subject to SQL injection attacks) and c) your database is secure.
For (A) - communication security - you'll need to get an SSL Cert from someone like Thawte (that is who we use and I like them). When you install the Cert on your server, you'll want to ensure that the web site only accepts secure (SSL) connections - at least for all pages with sensitive data. For example, all forms with credit card data must be submitted via SSL.
For (B) - code security - this is worthy of an entire book! You'll must not, for example, construct SQL calls by just appending forms/request data collected from the web page (this leaves you open to SQL Injection attacks). All SQL arguments must be parameterized. etc. etc. No one can explain security in an SO post - you have a lot to learn.
For (C) - SQL Server security - this too is a complex topic but there are a few key points. Based on your description, I'm assuming that the SQL Server is running on the same server as your web app. This means that you do NOT want it accepting ANY connections from the network. Don't be tempted to leave this open so that you can access it easily from the SQL Management Studio on your desktop...this is just horrible, stupid security practice. You can access it via Remote Desktop after signing on to the remote server. Also, disable the 'sa' account - just do it right now. People finding you on port 1433 (if you don't disable all network access) will be flinging brute force password guesses against the sa account every second of every minute, etc. for years. We get about 17,000 a day on a non-web site database that we maintain for a few customers. There is more to learn here but if you take those two steps, you're pretty well covered. Just to be sure, though, I recommend that you also run the MS security surface analysis tool and follow its recommendations, where appropriate, to reduce the visibility of your SQL Server.
As far as virtual machine hosting, it should be fine. However, dedicated hosting only runs about $199 a month at MaximumASP (who I use, recommend and think are among the best in the business!). I would recommend that you consider using your own dedicated server just so that you can easily scale your business if it proves successful.
With respect to your database, SQL Server Express will work for this and, yes, you can upgrade to the Workgroup Edition in the future. The database limits won't cause a bottleneck for your web site unless you actually hit those limits. You'll need to figure out whether that is likely. That being said, is really would not recommend trying to run a professional web site on the free version of the MS database - especially one holding financial data. With any success whatsoever, you are likely to bang into those limits. Many web hosting companies (and MaximumASP in particular) will let you add a professional version of SQL Server to the price of your server for a minimal price (e.g. $25 a month or something similar).
Finally, you appear to be a bit confused about Web Applications versus Windows apps. In a web app, your users will not have access to your source code/DLLs (IIS blocks access to a variety of files including dlls and .config files). They aren't downloading and installing an application so you will not need sign your code and you have no need for obfuscation. "Reflector protection" doesn't even make sense to me in this context.
If you are worried about your hosting company seeing your code, you should find a different hosting company. That being said, I just can't imagine that any reputable hosting company really cares about seeing your source code.
Good luck!