Kerb authentication is performed at each request, rather than each connection. This can end up being a little top-heavy.
917557 FIX: You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 6.0
Once installed, the hotfix is toggled by registry key: the value name is EnableKerbAuthPersist.
Why Intranets? it's usually the borderline-insane that try to use Windows Kerberos across the Internet (requirements: the client needs to be a domain member; the server needs to be a domain member; the client needs to be able to talk to a domain controller directly to acquire a ticket. 99.99999% of internet scenarios - not going to happen), so this is pretty much an intranets-only scenario.