>>>How have you configured sessionState? If you are using cookies, does the failing browser have cookies disabled?
>>
>>I just found Session State in IIS and it is configured as:
>>
>>Session State Mode Settings:
>>In Process
>>
>>Cookie Settings:
>>Mode: Use Cookies
>>Name: ASP.NET_SessionId
>>Time-out: 20 mins
>>
>>use hosting identity for impersonation is checked.
>>
>>Does this mean I need to ensure cookies are enabled on the workstations' browsers?
>
>
>As always, it depends. The short answer is yes. Another option is to use a cookie mode of "AutoDetect". I'm not sure what versions of ASP.net support AutoDetect. I know 3.5 does. All the gory details are here
>
>http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx
>
>I feel your pain. So much to learn, so little time!

Changing it to AutoDetect worked! However, prior to that I had tried to allow cookies for the site, but it didn't work. The site is accessed like this:

http://servername/SIAS

when I tried to add that into allowed sites it said the url was invalid (I guess it was looking for .com/.org and so on), so I tried it in the intranet side and it allowed it to be entered, but it didn't make a difference. I then set the security level in the browser to the lowest settings and that didn't work.

I am still confused as to why the autodetect works and would prefer not to have it running with the session stuff displayed in the address bar.