because they're different authentication schemes entirely.
By using disabled Anonymous access (using a Windows account), one is TECHNICALLY running an application in open mode (there is no application-level authentication) and relying on IIS to deny the pages to those people who are either not authenticated with your domain or not authorized to view the pages). The application is only aware of who is running it, because of the LOGON_USER variable, but the application has not authenticated the user at all. What has performed the authentication is IIS (which denies users based on domain name or groups, etc).
When you tell the application to authenticate via WINDOWS then you're tying that website's application account into the information coming from IIS (the LOGON_USER variable) is to be treated as that application account.
Forms Authentication, expects you to generate an object that implements IPrincipal, and assign it to the application for a specific set of requests (which allows you to access things like Page.User.IsAuthenticated). Additionally, it expects a FormAuthenticationTicket to be created, and set (this is dealing with cookies an what not.) These things can be done via the login providers OR manually.
Now, here's the fun stuff.
In order to use the FORMS authenticate mode and disabled anonymous access, all you must do is automatically log the user into the system (generate a FormsAuthentication cookiee) with the information passed to the application via the LOGON_User variable. This can be done by checking if the user has been authenticated or the Global.asax method revolving around a new set of requests (say application_authenticaterequest or application_sessionstart)
Alternatively, you can allow anonymous access, but have the FORMS authentication be performed against your AD server: http://msdn.microsoft.com/en-us/library/ms998360.aspx