HTTP host headers can be used for opening sites via HTTPS with URL rewriting

Hello,

the thread subject can be a bit confusing, but I will try to explain what I meant. I found similar issue here: IIS6 IP/port binding weirdness using SSL, but not exactly the same. Here is the situation: on the web server (IIS6) there are 4 web sites. All of them can be used both by http and https. Web server has 4 network interfaces (4 IPs), so SSL certificates of all sites are bound to own IP address:

Site 1:
http: host header: example1.com, port: 80, IP: All unassigned
https: certificate issued for domain name secure.example1.com is bound to IP1, port: 443

Site 2:
http: host header: example2.com, port: 80, IP: All unassigned
https: certificate issued for domain name secure.example2.com is bound to IP2, port: 443

Site 3:
http: host header: example3.com, port: 80, IP: All unassigned
https: certificate issued for domain name secure.example3.com is bound to IP3, port: 443

Site 4:
http: host header: example4.com, port: 80, IP: All unassigned
https: certificate issued for domain name secure.example4.com is bound to IP4, port: 443

However DNS records for all http host headers refer to the same single IP: IP4 (when investigated the issue I pinged all of them). In this situation there is interesting behavior: HTTP host headers of all 4 sites can be used via HTTPS and in each case browser shows content of Site 4 but with certificate error which says that certificate was issued for secure.example4.com:

https://example1.com, https://example2.com, https://example3.com, https://example4.com -> shows content from https://secure.example4.com with certificate error.

So URL is rewritten somehow: in browser's address bar there is HTTP host header of e.g. Site 1, but content is shown from Site 4. As far as I understand one way to fix the problem is to add 5th network interface and reassign binding of Site 4 ssl certificate to that new IP5, so IP4 won't be occupied by any ssl certificate. Are there any other, more correct ways to solve it? And second question: is why IIS overwrites URLs in this case, but not e.g. redirects to https://secure.example4.com? Is it documented somewhere?