Is it possible to setup Authorization based on the zone of the request? Basically it is an intranet type application, with only little sensitive information.
If the request is performed from within the organization, it is fine to allow anonymous users.
However if it is an external request, they should get the 401 Authorization challenge. External requests are coming from a single firewall, so an IP/IP range should be fine to specify if it is an external or internal request.
Currently it is configured for Windows authentication in the web.config file.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>