3) From IE7, the session_name remains the same across all requests, but the session_id() of the initial page request is different from the ajax callbacks. In other words the session cookie's value changes. So $_SESSION is not shared. Is this what I should be seeing?
No. Browser's have a responsibility to always send back cookies to the domain+path that sent them. So if your ajax callback is sent back to the same domain and path as the session cookie, it has to be sent back. check the domain and path of the cookie and ajax callback carefully. You can control what path/domain the cookie gets set on using settings.php (see the comments there). Note that changing that can affect existing user's and their cookies.
4) Also from IE7, the session_id is new for ajax callbacks, yet drupal somehow knows which user is logged in. That is $_SESSION is not shared with the original page request, but the global $user is set correctly. How is this happening? Doesn't Drupal rely on the session_id to determine the user? Since session_id has changed shouldn't drupal think the ajax request is anonymous?
Is what I'm seeing the way things are supposed to be, or have I somehow screwed up my install?
Screwed up install, or browser, or other.