I believe he is correct. If you have IIS set for Allow Anonymous and Windows
Auth, the user entering the site will always be running under the anonymous user
account since it is “checked†first. No need to check via windows auth since
anonymous is allowed. Separate sites set for separate security models would be
the answer.