you're right; ad_user_login doesn't get set temporarily with -forever false; it doesn't get set at all. ad_session_id also contains user_id and that's apparently what gets used within a session. (Again, please note that PersistentLoginDefaultP just unchecks the "store login info" checkbox BY DEFAULT; users can still check this box themselves. it has NO EFFECT on what features are enabled/disabled. If you want to disallow this completely you'll have to hack the login scripts a bit.)
I'm not clear on how the user_id part of ad_session_id gets zeroed out after you close your browser and come back to the site but it does. Maybe someone else can clarify.