I am wondering what the effect of setting <authentication mode="windows"> in the web.config is in different version of IIS.

I believe that in IIS 5, it has little to no effect, as all of that is integrated and controlled by the web server.

On IIS 6 and 7, I believe that I can set the web server to Anonymous access and then each hosted web application could in turn determine if it wanted to use Windows Authentication by setting the mode. That is to say, the web.config controls ASP.NET in these IIS versions and overrides the server.

I am looking for a white paper or reference of some type that will back this up more than just my observational experience

To my knowledge, there were few changes between 5 and 6 in respect to security. However, IIS 7 was a major overhaul and differs from IIS 6 quite a bit (but, IIS 7 allows you to run in "compatibility" mode so that your applications would behave almost exactly the same way they did under IIS 5 and 6).

There are a couple of useful articles that might help:

• http://learn.iis.net/page.aspx/110/changes-between-iis-60-and-iis-7-security/
• http://blogs.iis.net/nitashav/archive/2010/03/12/iis6-0-ui-vs-iis7-x-ui-series-integrated-windows-authentication.aspx

IIS 5 is also obsolete (Windows XP will die next year). There is little value to discuss about the further details about it, though your understanding is not correct as far as I can remember.

That setting alone only determines how ASP.NET framework interprets the native user token passed on by IIS (as IIS performs authentication ahead using its authentication providers). So for IIS 6/7/8, when you set this on ASP.NET side, you need to carefully check what is the corresponding setting on IIS side.

For example, when IIS side uses anonymous/(Integrated) Windows/Basic/Digest authentication, different types of user token will be passed on to ASP.NET.

http://msdn.microsoft.com/en-us/library/907hb5w9(v=vs.100).aspx

Therefore, your understanding of "I can set the web server to Anonymous access and then each hosted web application could in turn determine if it wanted to use Windows Authentication by setting the mode" is wrong. If your intention is to use Windows authentication to authenticate clients, you must set it on both IIS side and ASP.NET side. Starting from IIS 7, IIS Manager puts those settings in the same place, but you still need to fully understand their differences and relationships.

For more information on ASP.NET authentication, you can refer to http://msdn.microsoft.com/en-us/library/eeyk640h(v=vs.100).aspx