Workaround 1: Using Firefox 3 or Google Chrome would allow authentication to the proxy and to the web site to work as expected.
Workaround 2: bypass proxy authentication would allow Internet Explorer to authenticate normally to the web site.
Internet Explorer would exhibit a problem loading a web page when it first authenticates to the proxy (407) and then authenticates to the web site (401). This was duplicated with IE 6, 7, and 8 against SG OS 4.2.x.x and 5.3.x.x.
Both proxy and web site authentications used NTLM.
LAN traces showed that the NTLM challenge and challenge response data was not modified when going through the proxy.
This problem was seen in both explicit and transparent deployments.