Regarding Q1: What if CacheRolesInCookie would be set to false, then there would not be enough info to determine the roles.
Regarding Q2: quoting from http://msdn.microsoft.com/en-us/library/aa302376.aspx
"The activated authentication module is responsible for creating an IPrincipal object and storing it in the HttpContext.User property. This is vital, because the downstream authorization modules use this IPrincipal object in order to make authorization decisions. In the absence of authentication (for example, where anonymous access is enabled within IIS and ASP.NET is configured with ), there's a special non configured module that puts a default anonymous principal into the HttpContext. User property. As a result, HttpContext.User is always non-null after authentication."