For users with the "Change Password on Next Logon" set, you want to redirect their request so they can change their password.
Natively, Windows authentication in IIS doesn't allow for this functionality. Users will continue to be denied until their password is changed. You could modify the returned IIS error page with a link to the change password portal or just let your users know that if they can't login try changing their password.
One alternative is to create a custom IIS module which intercepts the request just before the auth process. More information about taking this approach can be found here however I'm 90% certain it will be too complex of a solution.
The recommended solution would be to use forms authentication. Then customize the logon process to identify this change password scenario and redirect the user to a change password screen. This provides the best user experience but also involves a lot of customization.
Finally, don't use Windows Authentication with Forms Authentication. Just choose one. Note that non-Windows clients won't be able to connect using Windows auth.