In January, someone at Google discovered a bug in Windows that had been there for 17 years. (This was reported at The Register, among other places.) Microsoft have now released a patch, as described in Security Bulletin MS10-015, so it’s no longer a problem. However, I think that the details are interesting, particularly if you intend to move to 64-bit Windows at some point.
A while back, I was setting up an internal website (on a Windows domain with Active Directory), where I needed to identify each person who connected to it. IIS has an option for “integrated Windows authentication”: the idea is that if you’re already logged into the domain then you don’t have to provide a new username and password (or retype your Windows password) because the webserver will recognise you. This is similar to the way that permissions work on a fileserver, and I’ve used the same approach for desktop applications. One scenario is that you might want to use Outlook Web Access internally.
However, in order for this to work, the web browser actually has to send the relevant information to the webserver. The website doesn’t actually get your password, just your username, e.g. “Golgothajkirk”. Opinions may vary about whether this type of authentication is a good idea; personally, I think it is, because I don’t want people to get into the habit of typing in their password whenever a pop-up dialog box asks them for it. Still, whatever your views, it makes sense to be able to control this setting.