I hope I am understanding this correctly. So you are saying that you have a secured map service (secured through the ArcGIS Server Manager such that is you were to try and access the URL of the service it would challenge you for a username and password). You then have an application that is secured by windows authentication. When they run the application in IE and it gets to the code where the URL for the service is being called, it doesn't challenge them for a username and password because windows authentication is in place and that passes the username and password into the map service?
This does not work for me. My setup: Windows Authentication on the application that calls the secured map service: Secured map service using Active Directory. When I run the application in Firefox I am challenged for a username and password. I enter my windows username and password and the map is displayed. When the map gets to the point of calling the secured service I am challenged again for a username and password. I use the same username and password that I used when challenged before and the map is displayed correctly.
What I want the application to do is pass my windows username and password to the secured service so that it does not challenge me a 2nd time.