What happens is this:

1) The SID800 token and RSA Smart Card Middleware is recognised by Microsoft Windows as being capable of storing a Microsoft Windows logon certificate.

2) As the USB token is inserted, Windows prompts the user to enter a PIN to unlock the token (note - this can only occur if the workstation is a member of a domain)

3) The Microsoft Windows logon process reads the unlocked token and does not find an available Microsoft Windows logon certificate and correctly displays the error message

The decision to give the option of attempting to use a Microsoft Windows logon certificate to log in is made totally by the Windows operating system but is only seen on workstations or desktops which are members of a domain (or domains).

If you wish to disable this functionality contact Microsoft to find out how to stop this behaviour.

What you might want to do is actually allow certificate-based logon and for this you would install a domain logon certificate/keypair on the USB token to be used along side the Software token. Again, this functionality is totally Microsoft based but can either be managed by a Microsoft Enterprise CA or an RSA Certificate Manager solution.