To answer your question, just disallow the tunnel extension in IIS. Also under QEMC --> System --> QlikView Servers --> Security, uncheck "Enable server push over HTTP tunnels." That should force it to try only your QVS port (4747 by default).
Yeah, there is virtually no documentation for HTM files in QlikView.
Actually, if you had disabled tunneling in IIS your code would not have been able to use the tunnel, but it's good that you cleaned it up a bit. You said before that there is no firewall--did you make sure to disable Windows firewall as well (both server- and client-side)? The reason I'm asking is that QlikView will use 4747 by default unless it's unavailable and only then will it switch to tunneling. So test communications on that port...
Another thing: is it possible that the delay is caused by large file size, rather than any network issues? It could just be that a big file takes a while to load...
settings.js by default is entirely commented out so would be seem like a blank file. This is used for changed the communications port when using IIS. So I wouldn't worry about this file, it's pretty harmless.
The unauthorized http traffic is completely normal. That's the auth handshake, and always comes back unauthorized at first.
If your application is 1.7 GB, it's definitely going to take a while to open just because of network communication delays (even if the file is preloaded in server memory). This also seems completely normal to me. So, basically, I don't think you actually have any problems