From MS Support:
By default, versions of Windows Internet Explorer that were released starting with the release of security update 832894 do not support handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs. The following URL syntax is not supported in Internet Explorer or in Windows Explorer:
While this still doesn't explain why passing it in the headers doesn't work, at least it's a trail for me to follow. The thing is, is that the workaround involves disabling settings in the user's registry:
To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0.
For all users of the program, set the value in the following registry key:
For the current user of the program only, set the value in the following registry key:
That seems to me like something I should NOT be doing. Is that ethically/legally troublesome?