Update 08/14/2009: I also want to point out some text from the whitepaper based on this article to make it clear what this function does (decodes an NTLM token) and does not do (negotiate anything with any domain controller).
"This paper presents a pure PL/SQL code solution for decoding an NTLM token and using that decoded value as the authenticated user in APEX applications. The function will set the username to "nobody" if it detects that the browser prompted the user for their credentials instead of just silently negotiating them. You can then write authorization schemes that deny access to the "nobody" user. Note that unlike the mod_ntlm Apache module, this solution does not pass along credentials to a domain controller for authentication. This solution requests that the browser present an NTLM authentication token and decodes the username and domain from that token."More importantly, as per the last update (quoted above), it doesn't actually verify credentials with a domain controller like Apache mod_ntlm does. Assuming that the new Apex listener is the recommended "web server to proxy requests between the browser and the Apex engine", IMHO there should be a more robust NTLM authentication method that actually verifies credentials with the domain controller instead of a (very clever) hack.