IIS asks for login/pass when accessed using hostname but not when 'localhost' is used. Why?

You should look at the configuration of your IIS protection.

Although it seems like you are connecting to the same system, using "localhost" from a browser on your IIS server, you are connecting to 127.0.0.1.

When you connect to the http://hostname URL from another system, you are connection to the systems external IP address.

1. The client requests a resource on the server.

2. The IP address of the client is checked against any IP address restrictions in IIS. If the IP address is denied access, the request fails, and a 403 Access Forbidden message is returned to the user.

3. The server, if configured to require it, requests authentication information from the client. The browser either prompts the user for a user name and password or offers this information automatically.

Access Control in IIS 6.0 (IIS 6.0)