I will use yahoo.com for my example because I see it there, but this is happening for many login type sites...some of which we control and have verified cache settings for.
I go to fantasysports.yahoo.com and receive the page just fine. I click sign-in and enter my credentials. It accepts them and redirects back to the main page and I appear to not be logged in....Unless I press CTRL-F5. Then I come up as logged in.
Now, I go to my neighbors PC and type in the URL. Bam! He is logged in as me.
I have viewed the headers, and they are have all the necessary settings to not cache. Yet it is obvious that the cached versions are being returned.
The only caching rule currently is the default one - Only if valid, cache, (user auth, dynamic, and offline all UNchecked.)