Turning 'anonymous' on site wide, not a specific page.
Turning anonymous on site-wide is what pretty much every NTLM SSO setup would need. Except on auth/ldap/ntlmsso_magic.php. In that particular file you need to disable anonymous and enable Windows authentication, with NTLM at the top of the providors list and negotiate second (unless you are using Kerberos for SSO, but then you would know about this). Of course this assumes that the rest of the LDAP SSO settings are correctly configured.
If you don't disable anonymous (and turn Windows authentication on) on auth/ldap/ntlmsso_magic.php, the NTLM SSO is not going to work.
On the other hand, if you don't turn anonymous on in the rest of the site files,then guest users are not going to be able to access the front page (or any other guest-accesible page) without providing their NTLM SSO credentials first.
Saludos. Iñaki.