I suggest using WEP because it will add a hurdle to a possible attack, even with 40bit WEP it can take quite a while to gather enough weak packets to break the key. Most APs have updates that lower the amount of weak packets that are generated. MAC address filtering on the AP only makes the solution more secure by requiring the attacker (after breaking WEP) to _see_ an active client bound to the AP to know its MAC, It adds a small step but for little amount of work it takes to set up it is worth it IMHO. As far as triangulation of the client I have seen some demos and logic behind it but I am not sure that that would fit in with the original poster's concept of "outside the building" =)

I guess my bottom line is:
Make as many hurdles for an attacker to jump over as possible -- With the items I suggested all in place the three "weakest links" in the whole picture are the laptop being used as the client, the person with the password using the laptop, and the physical server.

-Waswas