http://support.microsoft.com/kb/899417/en-us
This issue occurs if the following conditions are true:
The Internet Explorer advanced option Enable Integrated Windows Authentication is enabled.
You use the NetBIOS name to access the Web site, and the name is resolved through Domain Name System (DNS) as a fully qualified domain name (FQDN).
The Web site Service Principal Name (SPN) exists only as an FQDN in the Active Directory directory service.
The value for the DNS Cache Timeout setting is lower than the DNS Time to Live (TTL) setting value.
When you use the WWW-Authenticate: Negotiate method of HTTP authentication, the Internet Explorer client DNS cache entry may expire. When this entry expires, the Wininet.dll file on the client computer uses the Hostname entry in the Uniform Resource Identifier of the HTTP request to request a new SPNEGO token from the domain controller. The Wininet.dll file uses this Hostname entry instead of using the FQDN that was returned from the initial DNS Resolver query.
To work around this problem and reduce the frequency of this error, set the Internet Explorer DNS Cache Timeout value to the same value as the DNS TTL value in the enterprise. To set the Internet Explorer DNS Cache Time-out value, follow these steps:
Click Start, click Run, type Regedit, and then click OK.
To set the Internet Explorer DNS Cache Timeout value per user, locate and then click the following registry subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Internet Settings
On the Edit menu, point to New, and then click DWORD value.
Type DNSCacheTimeout and then press ENTER.
Click DNSCacheTimeout, click Edit, and then click Modify.
In the Value data box, type the value that you want in seconds, and then click OK.
Note The default value for the DNS TTL is 1800 seconds.
Quit Registry Editor.
http://blogs.msdn.com/b/spatdsg/archive/2007/11/20/kerberos-delegation-end-to-end-part-ii.aspx
Good listing of a problem with Kerberos and the anonymous login.
