1.go to http://localhost:8080/magnoliaPublic/.magnolia/log4j and set for info.magnolia.cms.security.SystemUserManager level to DEBUG
2.then go to security app - roles and edit anonymous role. In ACL add new deny access rule for /demo-project in website repository and save dialog
3.check the log you should see DEBUG info.magnolia.cms.security.SystemUserManager : Anonymous user reloaded, but it's not there.
but if you set in role info tab for example full name then the anonymouse user and permissions are correctly reloaded.