A: 

You are correct whoami.exe was confusing you. Launching a separate process caused the new process to run as the user of the current process. On XP that would be the COM+ application host (DLLHOST) and would normally run as IWAM_<machine>. On IIS6 it would the w3wp.exe work process and typically runs as NT AUTHORITY\Network Service.

However a thread processing a HTTP request will impersonate a different security token. With integrated security as you have discovered this would the security token of the user making the request, as your SSPI experiment bears out. With anonymous access the anonymous user configured on the site/application is used, this is typically <MACHINE>\IUSR_<machine>.

As to your specific problem with ServerXMLHTTP this goes back to the underlying component WinHTTP. This by default will only send the current users credentials if the server being accessed is the proxy bypass list. Even then it possible to the ServerXMLHTTP configures it to never send the user credentials, I've not test that scenario myself.

Unfortunately ServerXMLHTTP provides very limited access to the configuration details on WinHTTP. However if this is a show stopper then you could always use the WinHTTP component directly yourself:-

Dim oWinHTTP
Dim oDOM

    Const AutoLogonPolicy_Always = 0

Set oWinHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")

oWinHTTP.SetAutoLogonPolicy AutoLogonPolicy_Always

oWinHTTP.Open "GET", "http://remoteserver.org/getsomexml.xxx", False
oWinHTTP.Send

If oWinHTTP.Status = 200 Then
 Set oDOM = CreateObject("MSXML2.DOMDocument.3.0")
 oDOM.async = false
 oDOM.Load oWinHTTP.ResponseStream     
End If

Set oWinHTTP = Nothing

That should work for http, for https it gets real messy.

AnthonyWJones