Oh. You're not setting the mime type.
http://msdn.microsoft.com/en-us/library/system.web.httpresponse.contenttype.aspx[
^]
You need to do that so the browser knows what you're sending it.
You are right. Dim sql As String = " SELECT * FROM Image WHERE EmployeeID=@EmployeeID" is fine, but you need to also tell your SQL statement what @EmployeeID is, right now you do not. So, you need to read this : http://www.4guysfromrolla.com/webtech/092601-1.shtml but the short version is, you need this : Cmd.Parameters.Add("EmployeeID", EmployeeId). Amusingly, the example on that site, uses the exact parameter name you're needing to add.