yes, you are correct, anonymous viewing was not possible with the initial release of xowiki 0.36. i have committed a small patch to fix this problem. It contains two parts: changing the permissions for "view" in policy1 to "none" (see xowiki/tcl/package-procs.tcl) and pass the actual user-id from the view-page to the conditional links (such that the permission checking for the conditional links does not force the login).
After a cvs update, two settings are required for anonymous viewing:
- give "the public" read permissions for the package ("permissions" link on admin page), if applicable, for the subsite as well. and
- use policy1 as security policy ("parameters" on the admin page, policy1 is the default).
For your setup, just the update should be enough.