I'm not up on IIS6, but for previous versions of IIS the IUSR_computername user account is the account used by the web server. If there is any call to any folder, html file, asp file, js, css, image or any other link that doesn't allow the IUSR_computername account then IIS prompts for a windows login for some account that does have permission.
If the login is successful, IIS will continue to impersonate the logged in user.