Ok, great.
Here's what you'll want to do, assuming using the built in ArcGIS Server user and role store is OK:
a. Using ArcGIS Server Manager, open the 'security' tab.
b. Click 'roles' and create a new role - eg: Authorized Users
c. Choose a role type - typically the 'user' role is sufficient, but you could select 'publisher' or 'administrator'. If you don't want users of this service to publish services or administer your GIS Server, choose 'user'.
d. In the 'users' tab, create a few users and assign passwords. Using the dialog, add the users you create here to the role. Essentially, you'll have a 'role' container named, for example, Authorized Users. In the role container, you'll have your users, like Jim, Bob, Mary, User1, Auditor, or whatever you choose to name them. Jim, Bob, and Mary now have rights assigned to the 'user' role type.
e. Finally, you'd go back to the opening page of ArcGIS Server Manager, click the little 'lock' icon next to a service, and set the service to be secured to users that belong to your 'authorized users' role. Basically, you click the role and then click the arrow button to indicate that only people in the 'authorized users' role can access your service.
The DOC Jayanta mentioned above should help.
I don't think you have to actually provide a valid email address when creating a user in ArcGIS Server (I never do, or if I do I fake it like a@a.com). The GIS Server won't use it.
I think that's what you mean when you were asking about anonymous users - since I test internally, I make up al kinds of names, and most of them are simply 'user1' or 'user2'. I don't tie them to any specific person.
Hope that helps.
