This is a new issue after commit of r13654 to fix issue #2186.

Permissions granted to Anonymous at global level will apply to everybody, even
if their row in global matrix doesn't have that permission checked. This is
because _hasPermission in GlobalMatrixAuthorizationStrategy checks Anonymous
after the things that SidACL._hasPermission checks (user,groups,Everybody).

AuthorizationMatrixProperty also has this extra Anonymous check in
_hasPermission.. however, it is no longer used because the inner class in
SidACL.newInheritingACL calls child and
parent.hasPermission(Sid,Permission) directly, so it bypasses
_hasPermission(Authentication,Permission) in those SidImpl classes.

Here are the steps to see the ANONYMOUS problem:

1. Global perms:
Anonymous does not have Workspace permission
UserX is either not listed, or does not have Workspace permission
2. ProjectX perms:
Anonymous does have Workspace permission
UserX is listed and does not have Workspace permission

When UserX logs in and visits some project that does not have any
project-specific permission, he can see the workspace (it will use only root
ACL, so anonymous is checked). But when UserX visits ProjectX it does not show
the Workspace. He can logout and see the workspace as anonymous, however (since
anonymous is the actual user, that row IS checked).

The workaround is easy (if you grant something to anonymous in a project, always
check that box in every other row in that matrix), but this does seem like a
bug, no? Different behavior in the global matrix and project matrix.