When people asked me if SharePoint 2007 was capable of multiple authentication methods; I knew enough to reply with an enthusiastic 'yes'! But until I was recently asked to resolve an oddly configured SharePoint URL scenario, I had no idea how it achieved multiple means of authenticating and how much real power their method provided developers/administrators.
In short, my supervisor desired a single SharePoint URL, capable of authenticating users via both Windows integrated AND Asp.net membership (forms) authentication. What I discovered is that, while SharePoint can 'easily' be configured to allow for multiple authentication types of the same content (i.e. Web Application), each unique URL can only have a single method of authentication. In hindsight, the answer seems obvious, from a logical standpoint, but not knowing how SharePoint did what it did; I couldn't intelligently reply to his request without first doing some research.
In point of fact, the multiple authentication ability within SharePoint 2007 is achieved by allowing multiple entry-points (zones) within a single web application; each capable of their own form of authentication. However, the phrase 'web application', to me is a bit misleading since I naturally liken it to 'web site' - when in fact each web application can warrant up to 5 IIS web sites; one for each zone. Since each zone earns its very own IIS website, each also posseses a distinct URL. These zones share a common content database; comprising the 'single' web application. Thus multiple authentication methods via a single URL is not possible.
And amidst my Google encounters with multiple web application zones; I stumbled onto the new fan dangle Alternate Access Mappings (AAM) functionality. Initially this further confused my evaluation of what I could/couldn't do with a single URL and SharePoint authentication, but in a nutshell AAM is just a mechanism with which to 'redirect' users SharePoint-style. Normal proxy re-direction will still display all of SharePoint's auto-generated hyperlinks with the address users are re-directed from, but AAM will notify SharePoint of the intended re-direction and update the links appropriately.
Some of the URL's I consulted to iron out my own understanding: