When dealing with security and restricting access you have two main concepts - Authentication and Authorisation.
Windows Authentication and Forms Authentication are merely two ways of achieving the 1st part - authenticating a user. This is simply getting a user to prove their identity, regardless of the mechanism used the end result is the same - we know who the user is.
When it comes to securing the content a user needs to have been authenticated, however we then Authorise the user against particular resources and decide who can access what.
If you have no security as such and the site can be accessed by anyone then there is no need to implement any security.
If you need to track users individually e.g. for auditing purposes, but do not have any particular restrictions on what they can access then you would only need to implement some form of Authentication and only allow access to users who have authenticated; however once somebody has authenticated they can access anything on the site itself.
