setting identity impersonate has the asp.net thread impersonate the identity
of the iis request thread. if you turn off anonymous, this will be the
actual user as you have found.
if iis is setup with windows authenication, then the users secuirty token is
a secondary token (passed from the client machine). the ntlm security (1 hop
rule) prevents the users creditials from being forwarded or used to access
any network resource.
if iis is setup with basic, the username and password is sent to iis, and
iis has a primary token (as it was created by iis itself). in this case the
token can be used to access any network resource with the users security
you have a third option, that is to enable kerberos security, and enable
creditals forwarding on the servers.
-- bruce (sqlwork.com)