It's not quite clear to me what you are asking about, but it looks like an unauthenticated user was able to access a resource you believe should have been protected and you want to know why. You should always study the web agent trace log to track how the web agent handled a request for any particular resource. Prior to the web agent making the IsProtected call to the policy server. the agent will print to its trace log the requested URI and the resolved agentname. These are the two pieces of information sent in the IsProtected call, and the policy server uses this combination of values to match the request to a realm. If the request matches a protected realm, the resource is protected and the user must authenticate or have a valid session to access. If the request matches either no realms or matches an explicitly unprotected realm, no session will be required to access the resource.
If your policy server is on Windows, the SM Test Tool would have been installed by default. This is a powerful tool for troubleshooting policy setup as it simulates a web agent and allows you to explicitly make calls such as IsProtected to see the response from the policy server without having to reference the agent trace log.
I hope this information helps.