Before a user can Login to WebAccess using a web browser, the user must first pass through Windows security of the Project nodes IIS (Internet Information Server). IIS is a "web server." WebAccess uses the WWW service (Web Server). Windows Integrated Security can be applied the Web Site to restrict user access via encrypted usernames and passwords.
Anonymous Access is not required (or recommended). The best way to secure your system is to use Windows Authentication in IIS (the web server software). Your WebAccess Project will act as if it is on an intranet, requiring all users be recognized by the Windows Operating System (as either a local user or Domain User). User will be asked for User Name, Password (and optionally Domain) just to connect. Using Windows Authentication in IIS (the Web Server) will reduce load on your web server from spurious requests from malicious users (and viruses) by denying access to unauthorized users.
If you have many users (for example a college campus or office building), then you may have to use Anonymous Access.
WebAccess works with all the security features associated with IIS including, Anonymous Access and Authenticated Access (i.e. Usernames and Passwords), Certificates, Secure Sockets Layer, VPN and firewalls.