The IsAuthenticated property does affect the behavior of the EntityManager. One example, among others, is it can affect how an EM can query or save entities in conjunction with what security attributes you mark your entities with. In other words, the usage of DevForce security attributes is how you can limit your "unauthorized user" access. 

See if this DRC topic can help you get started. http://drc.ideablade.com/xwiki/bin/view/Documentation/authorize

The reason why I ask is thus; say we have a username and password for the user to enter on the login screen and they have forgotten their username (not that unlikely!). Say we have some "Forgotten your username?" and "Forgotten your password?" links, we want these to be able to prompt the user for some other data, like their e-mail address, and be able to look up the required information in the database. Obviously this requires a connection to the server, so could I log in and return an "unauthorized user" to then use to lookup the relevant user data? If so, is there a "best strategy" for limiting the access of this unauthorized user?