There is a website on one of my test servers, which I didnt set up but im curious why one domain user can access the site WITHOUT getting prompted for their domain credentials / login. The site is setup to use Windows authentication but also allows anonymous. Their user identity is seen when they enter the site and their user name is displayed, so this tells me IE passed the identity to IIS successfully. However, this site uses host header names, and what ive ran into in the past with using host headers with windows authenticaiton is that users will get prompted once because of the url is seen as an url on the Internet, not an internal address (seelink). This user has fewer permissions that I do, as I have admin rights and they dont. When I access the site, I get prompted, and after entering a login I get through without issue.
I made sure they had all browsers closed, and each time they hit the site, they get in without the login prompt, yet I get prompted.
So what is bugging me, is why would this user be able to get in WITHOUT getting prompted?