Both valid IIS configuration and ISAPI Filters can result in the
behavior you observe. Can you validate your configuration?
WSS installs an ISAPI Filter, which can alter request/response behavior
to be inconsistent with IIS Authentication configuration.
Since Authentication protocol can be set at a per-URL basis, you must
also prove that Authentication is set correctly at the URL scopes that
you are using.
Thus, I can certainly configure IIS to respond with the behavior you
claim with either an ISAPI Filter or plain IIS configuration, and it'd
be perfectly correct according to configuration. You have to disprove
my assertions before you can consider the behavior "yet another Basic
Auth/default document bug".