The reason this is happening is because they are running the
web-site using the built-in VS 2005 Web Server (aka Cassini) -- which processes
all requests (including static files) through ASP.NET. This means that
authorization rules apply to all URL resources -- and not just dynamic ones (by
default in IIS static files don't have the above authorization rules
applied). Because there is a directive to block all resources if the user
is anonymous, the built-in web-server is not allowing a user to retrieve the
images or stylesheet from the login.aspx page when they aren't logged in.