When a document is policy protected, you must authenticate to the LiveCycle (Rights Management) server to view the document. LiveCycle and RM support Single Sign On (to Policy Protected PDFs) through MS Active Directory and Kerberos.
If a SSO solution is not in place, then you must login at least once to view the a protected document. When no SSO is in place, Reader and Acrobat in conjunction with the RM server support the concept of a session. This means that the user will be authenticetd when they first try to open a policy protected PDF, but will not be promted when opening subsequent documents during the same session. A session is ended when Acrobat or Reader is closed, or if it times out. The session length is configurabel on the server side.
Regards
Steve