Great news, guys. I disabled the AD http module in web.config as Ben noted, and tried posting to a blog
tied to a Windows account with Live Writer, and it worked. In the Live Writer setup screen I simply supplied my windows account in the form DOMAIN\username with the windows password. It appears we can have the best of both worlds with some minor tweaks to the AD http module.
One thing to keep in mind is that the windows password is sent in plain text just as with a DNN forms-authenticated user, so folks will want to make sure their site is isolated in an Intranet environment and/or secured with SSL, espcially in an Extranet environment.
I will also try to put some custom code in the AD http module so that we can use a config file to specify additional files (or perhaps user agents as Don mentioned) that can be accessed anonymously without redirecting to the automatic sign-in page.
We may want to consider submitting an enhancement request to support.dotnetnuke.com so that this might be a public addition to the AD module, if appropriate. Don, is this something you would prefer to do, as the technical contact for metaPost? I would be happy to do so myself as well.
Again, thanks much to both of you.