IIS6 intranet site using integrated authentication fails to load when accessed externally

It looks, to me, like you're falling victim to a "bug" in IE8, as was reported to Microsoft here and discussed in more detail here.

I suspect that if you use the AdsUtil.vbs script to set the authentication on the affected directory to "NTLM" instead of the default "Negotiate,NTLM" and the problem will probably go away.

You can verify if you're seeing this behaviour by monitoring the client machine with Wireshark (or your favorite sniffer) and watching to see if it attempts to perform a NetBIOS broadcast name resolution for a domain controller while attempting to access the site.

Some background on the NTAuthenticationProviders value I'm taking about is available from Microsoft KB215383. For IIS6, if the value isn't defined then IIS treats it as "Negotiate,NTLM". My guess is that you're running in the default setting.

You can examine this value using the adsutil.vbs script (which is installed, by default, in %SystemDrive%\Inetpub\AdminScripts). Use the following command to examine the value for the first web site on the machine (obviously, change the path in this example to suit your real application):

cscript adsutil.vbs GET W3SVC/1/Root/NTAuthenticationProviders

Remember-- if the value isn't defined then IIS6 will be using its compiled-in default setting of "Negotiate,NTLM".

To change the NTAuthenticationProviders value for the root directory of the first web site on the machine, use the following command:

cscript adsutil.vbs SET W3SVC/1/Root/NTAuthenticationProviders "NTLM"

Microsoft recommends verifying the value "took" by querying it again after you've set it.

Do you have access to the security log of the IIS server? If so, that will help you figure out why Integrated Authentication is failing with IE8. If you don't have access to the logs, you can get a client-side view of the traffic by using WebFiddler, which would let you compare the HTTP authentication traffic between IE8 and FireFox.