I've used Kerberos auth with NAM for many years and one of the things I've always wondered is, is there a way to prevent IE (and now Chrome) from doing a fall-back to NTLM auth when Kerberos fails?

My understanding is that when the browser gets the "WWW-Authenticate: negotiate" header it will try Kerberos first and if that fails fallback to NTLM (which NAM of course does not support). This generates the familiar NTLM dialog box in IE and Chrome. This typically confuses users and so we always have to resort to using some other mechanism (e.g. Kerberos include/exclude lists, header injection at the load balancer, etc.) to prevent non-domain machines from attempting to negotiate auth. Firefox allows you to control the NTLM auth separately so it doesn't have this issue. I've looked on and off for a while, and I can't find any way to control this with IE (and Chrome since it uses the Windows settings).

Is there any local policy or registry key in Windows that will prevent the NTLM fall back on a negotiate auth? I'm more interested in preventing it in Chrome than IE, but I have been unsuccessful in finding anything (it looks like Chrome used to have a registry setting where you could control auth mechanisms, but it's not clear to me if that is still supported by current Chrome).

Or is the only option to keep tight control on the networks that are allowed to use Kerberos?