Hi,
I've compared all the LDAP authentication code from 2.4.2 to 2.4.3 (your build) and the only change (about paged results) doesn't affect NTLM SSO at all. So the problem should lay elsewhere.
When you say:
If I turn annonymous access on in IIS then the SSO in the Moodle site doesn't work. It tries to authenticate and then says it has failed and throws up the standard login page.
Which specific pages do you turn anonymous access on? Which ones you don't? Sorry to be so picky, but this is one of the tricky parts of the setup. Also, have you checked the file system permissions for those pages (files)? IIS uses file system permissions for web control access too (to make things even more complicated )
Turning on debugging in the one that doesn't work produces nothing, so it clearly thinks it is working correctly.
Unfortunately, turning on debugging is not very useful in this case (NTLM SSO) as there are no debugging statements in that code path unless something goes really wrong. There's a reason for that: most of the SSO is handled by the web service itself, and out of Moodle's control.
I'd start by adding a few debugging statements in strategic places to see what could be going on. The first place I would add such statements is inside function ntlmsso_magic(). I would add a debugging statement at the top of the function to see if Moodle actually gets anyting at all in the $_SERVER['REMOTE_USER'] variable, and what it looks like. If you get anything that actually looks good, I'd add debugging statements to all the functions called from there, to see how things evolve.
By the way, If you can use a remote PHP debugging environment like xdebug (http://xdebug.org), that would make things easier.
Saludos. Iñaki.