The default security model in Exchange Server 2003 prevents all user accounts from being able to open more than their own mailbox. A change to the default security settings is the only way this could happen.
For example, if you were to follow the steps in the Microsoft article, "How to assign service account access to all mailboxes in Exchange Server 2003," an account could be given access to all mailboxes. If you are logging on using such an account, then it might be possible to do what you have described without being prompted for a separate set of credentials.
You'll want to look at enabling forms-based authentication (FBA) on the ISA server. This will enhance the security for each logon. It will also force each session to log on with a new set of credentials.
For step-by-step instructions on configuring the listener for FBA, take a look at Outlook Web Access Server Publishing Walk-through Procedure 4: "Secure Outlook Web Access through the listener."
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Dig Deeper on Exchange Server setup and troubleshooting
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading