IIS4 / WAP vulnerability?

[bbl () AVENIR NO (Bjørnar B. Larsen)]

Is there a way that IIS4 may bypass NTFS rights?

WAP server: NT4 sp6a + all hotfixes; IIS4 + all hotfixes; Exchange 5.5 OWA
SP3 (only the OWA part, it's not the actual Exchange server).

What happened:

1. I connected to the WAP server with my Nokia WAP mobile phone, wanting to
read e-mail. I logged on using my credentials. Got my email, started
reading.

2. A friend sitting next to me connects to the same WAP server, but his
Nokia WAP phone hangs before he gets to enter his password.

3. He reboots hos cellular, reconnects to the WAP server, is not asked for
any username/password. Then he gets to read MY email!

Setup of the WAP server:

Virtual catalogue: execute (including script), anonymous access, basic
authentication.

NTFS rights: Domain Users:READ; Administrators:FULL; SYSTEM:FULL (note:
IUSR_<machine> has no explicit access).

I am at this time not sure if there's any special WAP parsers or similar
installed. Usual ASP files are used, so I guess it's the ASP engine.

Perhaps the default document gets sent regardless of NTFS rights? If so,
IIS4's broken.

Any suggestions how and why my friend got logged on as *me*? There's no
reason why he should, even though I was the last to log on and still logged
on, while he connected.

Cheers,

:) Bjørnar

Ps. Needless to say I've turned off the WAP functionality and asked the
developers to look into it. It would be nice to get an in-depth discussion
going here, though.