In IIS 5.x and below we may remember the Allow IIS to control password check box under Properties > Directory Security > Edit > Authentication Methods > Anonymous User Account. In IIS 6.0, this check box is not available and the functionality behind this check box is not enabled by default.

This technology is called "sub-authentication" and it is not good because it reduces the level of security of IIS 6.0 and forces IIS 6.0 to run in the INETINFO process and forces the local SYSTEM account to impersonate the account specified for anonymous access. This is because when IIS is allowed to "control" the Anonymous User password, it actually completely ignoring it.

The reason why IIS 6.0 does this is to prevent a user account from logging on to a domain controller, which does not allow users to log on locally be default. Unfortunately this exposes the local SYSTEM account to the network.

It should not be a surprise then that to enable Sub-Authentication requires using the command line:

RUNDLL32 %windir%\\system32\\inetsrv\\iissuba.dll,RegisterIISSuba

and the IIS Metabase:

AnonymousPasswordSynch=True