I've just downloaded and am configuring and trying out. Here's something I ran into. 

I've configured instance_config.py to include:
ANONYMOUS_ACCESS = 'deny'
ANONYMOUS_REGISTER = 'deny'
ANONYMOUS_REGISTER_MAIL = 'allow'

When emails are sent in, the appropriate user is created. If I follow the documentation, that user should not be able to log into the Web interface, based on my config. However, the user can log in with a password of 'None.'