As of IE7, any URL whose host portion contains a dot is considered to be outside the intranet zone. Thus, automatic Windows authentication is disabled (by default). As a workaround, you can now add individual URLs to the list of intranet sites.
I tried to add a wildcard for the local domain to the list of sites (*.mm.local). IE complained that the URL was already listed in another zone, and that I should remove it from that zone first. True enough, it was in the trusted sites zone. So I removed it and tried again. I exited and relaunched IE. I logged out and logged back in. I rebooted. The same message occurred after each of these measures. I tried a different wildcard, and it worked.
There appears to be a bug where once something has been in the trusted sites zone, you can't ever add it to another zone. I connected to a web site in the local domain, entered the requested password, and IE showed the site as still belonging to trusted sites. But the wildcard no longer appears in the trusted sites list.
Problem solved. The registry key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
contains the IE zone mapping. It didn't show my local domain, but the corresponding key under HKLM did. I'm not sure how the HKLM key got there, and there was no evidence of the registry setting in the IE configuration dialogs. Deleting the key made things work as expected.
