I have one controller that renders pages in an internal web application that needs to be windows authenticated. There exists a second controller used for JSON-based queries into the system that do NOT need to be Windows Authenticated? Is that possible? It appears I've only been able to do one or the other at the moment.

Any suggestions?

Yes. Based on what authentication you choose, you decorate your controller's action method with Authorize

This article presents exactly what you are looking for: http://www.asp.net/mvc/tutorials/authenticating-users-with-windows-authentication-cs

From the article "For example, the Home controller in Listing 1 exposes three actions named Index(), CompanySecrets(), and StephenSecrets(). Anyone can invoke the Index() action. However, only members of the Windows local Managers group can invoke the CompanySecrets() action. Finally, only the Windows domain user named Stephen (in the Redmond domain) can invoke the StephenSecrets() action."

We have a few apps that need to do this exact thing. Often, our apps are locked down in the web.config:

<authentication mode="Windows"/>
<authorization>
  <allow roles="DOMAIN\GroupNameHere"/>
  <deny users="?"/>
</authorization>
<location path="ApiControllerName">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

However, you still have to turn off Windows authentication for that API Controller. You can do this by editing the applicationHost.config file on the IIS server and adding:

<location path="Default Web Site/ApplicationName/ApiControllerName">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="true" />
                <windowsAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>

This PowerShell script will do it for you:

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration")

$applicationLocationPath = "Default Web Site/ApplicationName/ApiControllerName"

$oIIS = new-object Microsoft.Web.Administration.ServerManager
$oGlobalConfig = $oIIS.GetApplicationHostConfiguration()

$oSection = $oGlobalConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication", $applicationLocationPath)
$oSection.SetAttributeValue("enabled", "True")
$oSection = $oGlobalConfig.GetSection("system.webServer/security/authentication/windowsAuthentication", $applicationLocationPath)
$oSection.SetAttributeValue("enabled", "False")

$oIIS.CommitChanges()

yes you can handle this with AuthorizeAttribute

So for example in a simple account controller you only want authorized users to access the Action ChangePassword

   [Authorize]
    public ActionResult ChangePassword()
    {
       // your code here
    }