One of the things I work on at Wharton is a student portal. The portal is a public web site but most features are protected by a web form log in. A common complaint from students is that they’re forced to log in to the web site after they’ve already logged into a school computer lab computer with the same exact account. Shouldn’t the portal already know who they are without another log in?
After doing some experimenting, I’ve found it’s possible to combine anonymous access, web form authentication, and Integrated Windows authentication. I’m throwing out my approach in case anyone needs to do something similar. We run ColdFusion on IIS servers to power our apps but you may be able to adapt this for other platforms.