Thanks for that - it was my understanding too and just proves I'm not going mad.
In the site map the url for my package has permissions set for public read and public create so if everything is working and I don't explicitly code the calls you mention I should be able to display the submission page without getting a login.
Two thoughts occur:
1. I have the parameter RestrictEntireServerToRegisteredUsersP set to 0. Are there any known problems with this?
2. I was testing by logging out then calling the index page. Is there anything (other than the session_id cookie which I deleted) which could be triggering the sign-on? The developement machine is behind the firewall otherwise I'd ask someone to try requesting the page to see what they get.
Anything else I can check?
Steve