All of a sudden an application I had written started being buggy in that if you were using IE, you wouldn't stay logged in after the initial login.
A bit of investigation showed that the session cookie wasn't being set, odd.. it had been working. A quick workaround in IIS was to set the session management to be url based, but this caused horrors to happen to the url (it prepending all links with a session key hash).
The answer at the end of the day, was that ie will reject cookies from domains that have an underscore '' in them, and indeed in this case mine did (somesub_domain.mydomain.com) .
So changing that fixed the problem, caveat emptor! you may be able to set any crazy subdomain you want, but be careful. It would seem that _ is not valid as far as the official RFC is concerned (can't find that myself) , and so some apps care, some don't.
Another interesting discovery here was the IIS Session State Management control panel, where you can set it to be cookie, url, autodetect, a session server (that's interesting) or custom (guess you'd roll your own) . This explains part of how to do web app load balancing and such with shared sessions.