IE5 has a new feature called NTLM pre-authorization which lets the browser cache credentials if an NTLM challenge is received. Subsequent requests use the cached credentials.
If you post a form via an ASP page, to IIS 4.0, and a sub folder on the site does not use NTLM (but the parent does), the browser does not send the POST data to the server.
To solve this problem, use Regedt32 to navigate to:
On the Edit menu, Add Value name DisableNTLMPreAuth as a type REG_DWORD and set the data value to 1 (true).