Moodle should only attempt SSO with clients in the subnet (or subnets) specified so if it's attempting SSO with off-site users then presumably it thinks they're in that subnet. Could something like Microsoft ISA or TMG be sitting between the outside world and the IIS server causing the client IP addresses to be seen as internal addresses?
Also have you only got Windows Authentication enabled for the auth/ldap/ntlmsso_magic.php file and not the whole auth/ldap directory (or perhaps other files in that directory)?