When you post a form through ASP to IIS 4.0, from IE 5.0, and you use session variables in the POST, the session variables are not displayed in the browser, like previous versions of IE did.
IE 5.0 has a new feature called NTLM pre-authorization. If it connects to an IIS 4.0 site that uses NTLM security, it caches the credentials for all subsequent requests for that site. If a sub-folder on the site doesn't use NTLM, no challenge is received and the POST is not sent.
To resolve the issue, use Regedt32 to navigate to:
On the Edit menu, Add Value name DisableNTLMPreAuth, a type REG_DWORD, and in the DWORD Editor, set the data value to 1.
NOTE: The problem only happens when NTLM security is on the parent virtual folder and annonymous security is on
a sub folder.