IIS 7.5
non-ssl-test.com is port 80 only, secure-site.com is port 443 only
Both work if called correctly: http://non-ssl-test.com & https://secure-site.com
But if I call https://non-ssl-test.com and accept the certificate warning the content of secure-site.com appears.
WTF, I want https://non-ssl-test.com to fail !
That's exactly how IP mapping works when SSL/TLS handshakes happen.
https://www.jexusmanager.com/en/latest/tutorials/https-binding.html#ip-based-bindings
As IIS 7.x does not have SNI, all HTTPS requests go to the IP based mapping. Web browsers see the certificate you bind there, and display whatever warnings/errors they would like to. TLS handshake happens so early and the browsers prompt immediately, so you have no way on IIS to avoid the prompt.
If you want https://non-ssl-test.com to fail completely, you have to modify the site bindings to have no IP based SSL binding at all. Like the other answer indicate, that usually means another IP address is needed,
Then HTTPS requests to the second IP without any certificate, would fail as you wished.