Is there a way to configure IIS to require manual windows authentication even if user browser is configured for automatic logon?

Question

Windows Server 2012 R2
IIS 8.5
Internet Explorer 11

I have an IIS web application that supports Windows Authentication (Providers: Negotiate, NTLM).

I have a use case where a given user has multiple accounts. His IE settings consider the site to be "local intranet" zone and as such, automatically attempt to logon with the username he's logged in Windows with. He needs to use his other account to properly authenticate with the site but doesn't get a challenge prompt to enter the credential. When this happens, the site immediately returns a 403 error and that's it.

Is there a way to configure the IIS site to challenge the user to authenticate instead of give up? I can't remove the site address from the "Local Intranet" Zone in his browser due to security policies and likewise, I can't change the automatic logon policy for the entire Local Intranet Zone.

Is there another way?

Answer 1

There is nothing in the IIS configuration that has influence on how a browser gets the credentials to be send to the server.

One workaround for your problem is:

Make sure the Windows account needed to log into the site, is also a user on the user's Windows OS.

Have the user start a separate IE instance under that second user account, then if set up to log in automatically, it should work without entering the credentials again.