What you need to keep in mind is that it is the client application making decision whether to prompt authentication or not.
Each client application may have certain restrictions as to when to send user credentials with out prompting the user.
Windows Media Player is the same.
It is best to use single word hostname for the Ironport appliance and to make sure both the Iroport single word hostname and ip address is added the the "intranet zone", in Internet Explorere > Tools > Internet Options > Security > Local intranet'.
The other option is to use IP surrogate instead of cookie surrogates, under 'GUI > Network > Authentication > Credential cache options', which is keep ip address to username mapping upon initial authentication.