any insights are helpful
+2
A:
A good explanation can be found on the .NET Development Forum:
[I]t is not true that you have to enable anonymous in order to host WCF in IIS. There are some restrictions when you configure bindings though. The basic principle is that: the settings for the WCF binding should be compatible with IIS settings. This means that if you want to enable transport layer authentication in the binding, you have to do so to the virtual application in IIS. For example, when you use BasicHttpBinding, you can enable the transport layer auth by setting the security Mode to "TransportCredentialOnly". You can disable IIS anonymous auth in this case.
However, there is one special case: if you are using WSHttpBinding over HTTP instead of HTTPS, you would have to enable anonymous in IIS. This is because none of the security modes for WSHttpBinding allows you to configure transport-layer authentication over HTTP, which has been implemented in BasicHttpBinding. Of course, you can solve this by using either BasicHttpBinding or CustomBinding. This is not a limitation. Instead it tries to reduce confusion since you would use either SSL (as transport layer security) or message security with WSHttpBinding.
Andrew Hare
2010-05-06 16:50:53