Users are getting authentication pop-ups on IE8 or IE9, but not with IE7.
For versions earlier than SGOS 6.3, the ProxySG appliance returns a 302 redirect to IE8 and IE9 for authentication, instead of the 307 redirect, which is sent to IE7 or earlier.
As explained in KB3788, when the ProxySG downgrades to a non-redirect authentication mode, it sends an HTTP 401 "Authentication required" response code, so the ProxySG then will challenge the user with a pop-up.
Avoid this pop-up by applying the following CPL code in the Local Policy file.
request.header.User-Agent="MSIE 8.0" authenticate.force_307_redirect(yes)
request.header.User-Agent="MSIE 9.0" authenticate.force_307_redirect(yes)