Past week one of my colleagues was trying to create a production like site on his laptop using IIS6 and Windows Server 2003. He creates a site and gives it a host header mysite.corp so it can be differentiated from the other sites. In order to make this work he creates an entry for mysite.corp in his hosts file that points to 127.0.0.1 (or localhost). Instead of a working site he gets a HTTP 401.1 – Unauthorized: Logon Failed error page.
At this point we think its a simple ACL problem so we add the NETWORK SERVICE account, the internet guest account (IUSR_<Host>) and the Launch IIS Process Account (IWAM_<Host>) thinking this will solve the problem. It did not.
After some hard thinking and serious googling we found KB896861 which describes this problem. With service pack 1 for Server 2003 (and SP2 for XP) a security feature was introduced that protects against attacks on your loopback device. Luckily for us the knowledge base article also lists two solutions. The first one is creating an exception for each host header you use and the second one disables the feature altogether. We opted for the former and the problem went away.