You have discovered how http auth works.
When a user first connects to a server the browser doesn't send any credentials. The reason being is that the browser doesn't know if it needs to. Nor does it know what format to send the password, and more importantly, YOU DON'T WANT TO SEND YOUR USERNAME PASSWORD TO EVERY SERVER YOU EVER VISIT.
So IIS receives this un-authenticated request, and sends back a 401. 401 doesn't just mean you are not authenticated to access this webpage, it also includes HOW you should authenticate (BASIC username/password, Kerberos etc to name a few methods).
TLDR. The 401 is to tell the browser how to send the username/password (and that you need to authenticate to view the resource).