If the Basic authentication option is set on the Internet Service Manager configuration, the IIS will honor authenticated access for HTTP requests that contain user ID and password information.
As we've discussed before, most browsers don't automatically include user ID and password information with HTTP requests. Instead, this will only happen if access is denied when the server attempts to access a page or resource. At this time, a request denied HTTP response is sent back to the browser, with a list of authentication methods supported by the server in preferred order. Now, if the server indicated that it would prefer Basic HTTP Authentication, the browser (if capable) will honor it by popping up a dialog box requesting the user ID and password from the user. Only after the user has entered the user ID and password will the browser actually send an HTTP request that contains user ID and password information in its header.
Basic HTTP Authentication involves sending the user ID information (potentially containing an authentication authority—WRDOMAIN\JULIAN), and the password over the wire using simple Base64 encoding. This is equivalent to sending the password in clear text, and is inherently insecure. Ironically, this is also (currently) the most powerful form of authentication available for the IIS. It's powerful because the server actually obtains full credentials including the password of the user. With this information, the server can access all the resources that the original user can access, including network based resources which require passwords for access.