ThreadAbortException when anonymously accessing SharePoint lists

Question

In the legacy code I'm working with, a web service accesses SharePoint lists.
Some of these lists require special permissions so user credentials are requested at first access.

However after I added some logging to application I noticed that actually the following happens when user tries to call the web service first time:

• web service begins running normally;
• when item requires special permissions, SharePoint sends HTTP 401 which turns into ThreadAbortException;
• user is presented with credentials box;
• after logging in, the web service is called once again, this time without problems.

It essentially means that code prior to SharePoint calls runs twice in this scenario.
What is the right way to show credential box before any code is run?
Is this the case when anonymous access is IIS should be disabled? I suspect so but I'm too inexperienced in configuring web projects so I feel confused.