The authenticates role described on the word file will give access to any host/service with IPv4.
Have you had the opportunity to analyse what changes on user's device when they run a diagnostic?
Do they have access to the internal network before running a diag?
Do they change IP address after running a diag?
What role does the user session is in before and after running a diag?
I there is a firewall that requires authentication before internet access, what is the user's authenticated status before and after running a diag?
Regards