Right, that's not the default because sending your logon credentials to any site on the internet is usually considered a bad thing. If you're not worried about your user's username/password combinations, then it probably makes sense to turn that on. It's enabled by default for the intranet zone only, because it is assumed that those servers are local to your network, and thus at least a safer option to send such for.