I'm sorry, but I'm not able to reproduce it with either IE 6.0 (the Windows 2003 server version) or FF 2.0.0.4 (Windows versino).
I have tried with the login block on the front page, by simply clicking on the 'Login' button, and it works as expected if the user should auto-login, and redirects to the standard login page otherwise with the authldap_skipntlmsso flag. And when I enter the credentials of a valid user, I log in directly, with no ntlmsso re-attempt.
I'm using Moodle 1.9 ($version = 2007101509; $release = '1.9 + (Build: 20080311)'), on Windows 2003. I'm going to try with Moodle 1.9 current as of today in a minute, just to make sure it doesn't make a difference.
OK, I think I have it 
. I think you are clicking on the 'Continue' link on the ntlmsso_finish.php page, instead of waiting for it to redirect you back to the normal login page. This makes the browser send a 'Referer:' header back to Moodle pointing to that same page.
The login page then uses that header in certain cases to see where you were coming from, so it can send you back there when you are enter your credentials. And this time things were getting mixed with this additional 'Referer:' header. Instead of sending you back to the front page, you were are redirected to the ntlmsso_finish.php page again, where it tolds you that NTLM authentication has failed, even if it hasn't tried again (this is a static message, it always prints the same).
So here is a new version of the loginpage_hook() functions that fixes that particular case:
function loginpage_hook() {
global $CFG, $SESSION;
if (($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET of loginpage
|| ($_SERVER['REQUEST_METHOD'] === 'POST'
&& (get_referer() != strip_querystring(qualified_me()))))
// Or when POSTed from another place
// See MDL-14071
&& !empty($this->config->ntlmsso_enabled) // SSO enabled
&& !empty($this->config->ntlmsso_subnet) // have a subnet to test for
&& empty($_GET['authldap_skipntlmsso']) // haven't failed it yet
&& (isguestuser() || !isloggedin()) // guestuser or not-logged-in users
&& address_in_subnet($_SERVER['REMOTE_ADDR'],$this->config->ntlmsso_subnet)) {
// First, let's remember where we were trying to get to before we got here
if (empty($SESSION->wantsurl)) {
$SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
$_SERVER['HTTP_REFERER'] != $CFG->wwwroot &&
$_SERVER['HTTP_REFERER'] != $CFG->wwwroot.'/' &&
$_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/' &&
$_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/index.php')
? $_SERVER['HTTP_REFERER'] : NULL;
}
// Now start the whole NTLM machinery.
redirect("{$CFG->wwwroot}/auth/ldap/ntlmsso_attempt.php");
}
// No NTLM SSO, Use the normal login page instead.
// If $SESSION->wantsurl is emtpy and we have a 'Referer:' header, the login
// page insists on redirecting us to that page after user validation. If
// we clicked on the redirect link at the ntlmsso_finish.php page instead
// of waiting for the redirection to happen, then we have 'Referer:' header
// we don't want to be used at all. As we can't get rid of it, just point
// $SESSION->wantsurl to $CFG->wwwroot (after all, we came from there).
if (empty($SESSION->wantsurl)
&& (get_referer() == $CFG->httpswwwroot.'/auth/ldap/ntlmsso_finish.php')) {
$SESSION->wantsurl = $CFG->wwwroot;
}
}
(I have attached a .diff file for MartinL 
and I'll add it to the bug tracker if you confirm that it fixes the issue for you too).
Saludos. Iñaki.
