The first two are really about access to an ASP.NET virtual directory or virtual application in IIS6 – that has basically nothing to do with WCF (WCF is actually not part nor dependent on ASP.NET). The settings control how the HTTP request coming into the IIS6 web server is being handled in terms of authentication. This basically controls whether anonymous callers from the internet can just call in without authenticating, or whether they need to enter username/password, or whether only callers with a valid Windows identity in this domain are allowed in.

The only reason this is interesting to your WCF service is the fact that when you host the WCF service in IIS (only one of the many options), then you have a (myservice).svc file that needs to reside inside a virtual directory. Of course, access to that SVC file is controlled by the authentication settings of IIS6/ASP.NET.

The security mode inside the <wsHttpBinding> section is the security-related definition of how the WCF service will communicate with its clients. Mode=Transport means, you’re securing the actual transport layer – typically using SSL – not each message separately. This setting works great in Intranet scenarios where you have all clients behind a corporate firewall – but it won’t work too well in Internet scenarios, since you can’t really control the whole chain from the client (anywhere on this planet) over a series of intermediary hops to your server – you just can’t. In this case, you’d have to use Mode=Message which basically encrypts and signs each message that goes over the wires – that works over any number of routers and relays along the way from the point of origin to your server.