My background is not with web applications so this problem is hard for me to explain easily. First I'll try to describe the setup.

Client setup:
-Only browser that is effected is IE 6-8 (Firefox, chrome, opera, and safari all work fine)
-A user will try to access our web application from a company laptop that is not connected to our network.
-This machine will be a member of our workgroup and have the company DNS listed as a trusted intranet site. (to which the application in question would be a member)
-The security logon mode is set to Automatic Logon only in intranet zone only, and IWA authentication is enabled on the clients browser.

Server setup:
-Windows server 2003 fp2
-The application will first redirect to an Authorization asp page which has anonymous access disabled and IWA enabled in IIS.

what should happen is that, since the client is not currently on the network, when this page is called it should prompt the user for network credentials. But with IE, instead of prompting, the user gets a page cannot be displayed error because the IIS manager is denying access to the asp page. If the company DNS is removed from the trusted intranet site list then it prompts correctly but disables single sign on the next time that computer is connected to the network or vpn.

My assumption is that since IE uses IWA and the site is listed as an internal site, when no network is found IE just sends nulls to the server attempting to authenticate which is swiftly punted back. Other browsers do not have security zones so when network credentials are not present the server prompts for them.

Is there a way to get around this so that our clients can keep the company DNS in the intranet zone but still have the server prompt for credentials when not on the network? Any attempt to allow for anonymous access on the asp page, as far as I know, will cause AUTH_USER to return null and again break SSO.

I realize this is slightly rambling so I will do my best to clarify and questions you guys might have. Thanks in advance.