Each security zone has a "User Authentication" setting for its content that is one of
Value Setting --------------------------------------------------------------- 0x00000000 Automatically logon with current username and password 0x00010000 Prompt for user name and password 0x00020000 Automatic logon only in the Intranet zone 0x00030000 Anonymous logon
Eric Law's article in IEInternals entitles "The Intranet Zone" explains very well how content is identified as belonging to the Intranet zone and whether the Intranet zone is enabled at all. However, the setting "Automatic logon only in the Intranet zone" exists in all three zones - Trusted Sites, Internet, and Intranet.
Presumably, a URL is identified as belonging to one of the zones, then the security settings are applied to that zone. But then that means the setting is specific to the zone. The implication of this is that the setting "Automatic logon only
in the Intranet zone" is no longer talking about the content or URL, but rather some aspect of the browser's state (e.g. what network it is using to reach the content or whether the domain can be contacted).
Let's say we are currently connecting to a site that is identified as part of the Trusted Sites zone, and we get a WWW-Authenticate challenge. Now we need to look at the security settings for the Trusted Sites zone. If it says "Automatic logon in the Intranet Zone", what does that mean?
So I gather from this that either "Automatic logon only in the Intranet zone" means
- "in this content zone if you're not the Intranet zone, don't use automatic logon"
- "if you're connecting from the Intranet, use Automatic logon"
Which is it?
If it is (1), why does the option exist at all? Presumably we could have just option 0, 1, and 3 and it would mean the exact same thing.
If it is (2), precisely what rules does IE use to determine it is connecting "from the Intranet". Specifically, does it use Network Location Awareness?