I'm starting to hate some IIS "features".
First it was IIS basic authentication (which you have to do by active directory whenever you want or not, just because IIS processes it first and then handles the result to ASP.NET). I'll search for the MSDN article where this is explained.
And now, look at the differences between a HttpContext of an ASPX page and one from a html page (generally speaking, a static resource):
Fantastic, no SessionSate! This means that if you're developing a HttpModule that needs to access Session data, forget all non-dynamic resources...
HttpModules are very cool because with few lines of code you get ISAPI-like results, but seems they have their limitations too.