The SSO plugins, for example WIASSOPlugin (which provides SSO when using IIS with Integrated Windows Authentication and the ISAPI filter) stop working if the 'public' group is given permissions on any of the Folders.
The SSO plugins are only used if the authentication process is triggered, which requires the 'public' group to have 0 (zero) permissions if you are directing users to the site via the following URL:
To overcome this, you have to send your staff users to Asset Bank using a different URL - e.g. via a link on your Intranet. This URL should end as follows: