Any progress on this?  If I take your sample and upload it to our server, disable anonymous access, and use integrated windows authentication, I get the same result.  It only works when Allow Anonymous is checked.  FYI, the identity used with Allow Anonymous is (currently) an Administrator, also the identity used by the App Pool is an administrator.

 

This is pretty critical for us.