I was struggling with this myself for a few days.

Using the IE specific ‘document.execCommand('ClearAuthenticationCache');‘ is not for everyone a good option:
1) it flushes all credentials, meaning that the user will for example also get logged out from his gmail or any other website where he’s currently authenticated
2) it’s IE only 😉

I tried using Session.Abandon() and then redirecting to my Default.aspx. This alone is not sufficient.
You need to explicitly tell the browser that the request which was made is not authorized. You can do this by using something like:

response.StatusCode = 401;
response.Status = "401 Unauthorized";
response.AddHeader("WWW-Authenticate", "BASIC Realm=my application name");
resp.End();

This will result in the following: the user clicks the logout button ==> he will get the basic login window. HOWEVER: if he presses escape (the login dialog disappears) and hits refresh, the browser automagically sends the credentials again, causing the user to get logged in, although he might think he’s logged out.

The trick to solve this is to always spit out a unique ‘realm’. Then the browser does NOT resend the credentials in the case described above. I chose to spit out the current date and time.

response.StatusCode = 401;
response.Status = "401 Unauthorized";
string realm = "my application name";                
response.AddHeader("WWW-Authenticate", string.Format(@"BASIC Realm={0} ({1})", realm, DateTimeUtils.ConvertToUIDateTime(DateTime.Now)));
resp.End();

Another thing that you need to do is tell the browser not to cache the page:

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.MinValue);
Response.Cache.SetNoStore();

With all these things in place it works (for me) in IE, but until now I still wasn’t able to prevent firefox from logging in the user when the user first presses escape (hides the basic login dialog) and then refresh (F5) or the browsers back button.