By nested, I mean for example that if there is a css file with links to images on the same IIS application, these subsequent requests will result in a 401.2 response. I have been able to duplicate this and have verified a workaround. The subsequent files in my case are images, and are wholy contained in an images folder, which I can configure for anonymous access. This removes the need to authenticate for the nested requests. Nevertheless, the bug remains.
Here is an excellent resource for configuring IIS for authentication.