When a web client and a web server interact, they negotiate things like protocol version, response types, and in this case, authentication methods.

I have very little experience with IIS, but some quick web searching seems to imply that IIS defaults to "Windows Authentication", and doesn't offer "Basic Authentication" as an option (by default) to the client.

You don't say what version of Zabbix you're using, but current documentation indicates that there should be a drop-down menu for "HTTP Authentication" when you configure the web check, and "NTLM" should be one of the options. If that's true, try that. It should allow Zabbix to negotiate "NTLM" with the server, and hopefully things will work. Note that Zabbix's web checks are based on the underlying libcurl library for your system, so your libcurl and curl documentation may also be useful.

The other option (I think; again, I'm not an IIS person) would be to modify the IIS site config for these sites to enable "Basic Authentication" and perhaps make sure it's at the start of the list, before "NTLM". If you do that, the Zabbix web check should be able to continue to use HTTP Basic Authentication to access the site. Note that enabling Basic Authentication for the site may require additional configuration setup. Not sure how IIS does it, but hopefully you can find the require documentation.

That's the problem. Looks like basic auth to me in a browser and I didn't realize zabbix had the NTLM option. Changing to NTLM in zabbix was the fix here.