My impression is that, when I hit Stack Overflow for the first time, it records my IP address as a user since I can ask a question without being logged in, in the traditional sense, but I'm still tracked.
Is this what SO does? Base a non-logged in user as an IP address? Or is it a combination of cookies/sessions and IP?
I want to implement a similar solution, but I'm afraid of IP modification and users faking an IP to obtain another user's account. How should I handle this?
Stack Overflow uses a cookie rather than your IP address. You could be using a mis-configured (perhaps on purpose) proxy, so IP address isn't reliable anyway. (This is from memory, I haven't been intentionally logged out of SO in a long time. ;)
By using the same practices as you do with "normal" login cookies, you can trust it just as much as registered accounts. The only caveat is you have to generate it whenever a new/logged-out user visits the site—or better, right as they do something that requires tracking (such as post a question in the example of SO).