The reason this is happening is because they are running the web-site using the built-in VS 2005 Web Server (aka Cassini) -- which processes all requests (including static files) through ASP.NET.  This means that authorization rules apply to all URL resources -- and not just dynamic ones (by default in IIS static files don't have the above authorization rules applied).  Because there is a directive to block all resources if the user is anonymous, the built-in web-server is not allowing a user to retrieve the images or stylesheet from the login.aspx page when they aren't logged in.