One of our clients would prefer not to have any cookies at all on the public portions of their website. Of course for the back-end tools we use session state extensively, but it's not really necessary for the public parts of the site.
Is it possible to just turn off session state for anonymous visitors, but leave it on for logged-in users?
In a word... no.
But you could logically separate your application into different apps that appeared seamless to users.
Ie:
wwwroot\myapp (public site, no cookies)
wwwroot\myapp\private (virtual directory, actually a different app)
This of course would require that none of the public parts behave differently between public/logged-in users.
if all you want is to avoid the cookie-overhead for the static files (images/javascript/css etc) you could set up a cookieless domain and serve your content from there, one guide here: http://www.ravelrumba.com/blog/static-cookieless-domain/
That would probably cut cookie traffic by 90%
You could probably use the same princible for directing the logged-on users to a different domain where they would log on and set cookies.
if they don't want cookies because those cookies would be third party cookies (the site is hosted from iframe on different site) and IE doesn't allow this as default, you can use P3P to convince IE that it's cool: http://www.w3.org/P3P/
if they don't want cookies as a matter of principle then you're a bit out of luck, though Asp.Net does support cookieless sessions, but they are not secure even on ssl (transfers session id in url) and have other issues (ugly urls, WCF throws a fit etc.) It might be a viable option though if the client is religious on cookies