We get inconsistent application behavior on Authorization based on NTFS ACL
Permissions.

We implemented an ASP.NET 1.1 web application using NTFS ACL Authorization,
and implemented a security audit logging call in the
Application_AuthorizeRequest event of the Global.asax:
    protected void Application_AuthorizeRequest(Object sender, EventArgs e)
        {
            AuditLog.LogAccessAttempt();
        }

The audit logging is designed to log access attempts - both authorized and
unauthorized.  For the web application we use integrated windows
authentication (this is an intranet application). On the web application
directory NTFS permissions, we add the roles which are authorized to the
application.  In the web.config we configure the authentication and
authorization as follows:

 <authentication mode="Windows" />

 <authorization>
   <allow users="*" />
 </authorization>

On the development servers upon which we intitially tested the
unauthenticated users received 403 HTTP response codes, and their access was
logged by our audit logging mechanism (the call embedded in the
Application_AuthorizeRequest).

Then we found that on the QA servers, although the unauthenticated users
received a 401.3 HTTP response code, the audit logging for unauthorized
access was not executed.  Debugging showed that IIS never passed control to
the Application_AuthorizeRequest event. The requests of users who are not
authorized via NTFS ACL's (yet are authenticated) do not get to the
Application_AuthorizeRequest event.

We checked that IIS and the NTFS ACL's were configured the same on all
machines, and that they all ran the same OS and IIS versions: Windows Server
2000 SP4 and IIS 5.00.

NTFS ACL's included group that needed access with read, read & execute, and
list file contents.

Why do we see this inconsistent behavior?