Yes, an anonymous id is a GUID. The cookie string is an encrypted value containing the id and other data:
[Serializable]
internal class AnonymousIdData
{
internal string AnonymousId;
internal DateTime ExpireDate;
internal AnonymousIdData(string id, DateTime dt);
}
By default, anonymous cookies are valid for 90 days and are refreshed every visit.
You can treat Request.AnonymousID as the request username when Request.IsAuthenticated==false.
see AnonymousIdentificationModule
UPDATE:
In response to a comment, yes, you can decode the value, but why?
string aId = Request.AnonymousID;
string anonCookieValue = Request.Cookies[".ASPXANONYMOUS"].Value;
MethodInfo method = typeof(AnonymousIdentificationModule).GetMethod("GetDecodedValue", BindingFlags.Static | BindingFlags.NonPublic);
object anonymousIdData = method.Invoke(null, new object[] { anonCookieValue });
var field = anonymousIdData.GetType().GetField("AnonymousId", BindingFlags.Instance | BindingFlags.NonPublic);
string anonymousId = (string) field.GetValue(anonymousIdData);
field = anonymousIdData.GetType().GetField("ExpireDate", BindingFlags.Instance | BindingFlags.NonPublic);
DateTime expired = (DateTime) field.GetValue(anonymousIdData);
// why? just use Request.AnonymousID
Debug.Assert(aId == anonymousId);