You are trying to secure the IIS server where MessageMaster console and EventMaster Server are installed, and you find that the EventMaster directory (MessageMaster\data) has Anonymous access allowed.
This is by design, and is required. If you do not have Anonymous access allowed on the EventMaster directory (MessageMaster\data) in IIS, you need to enable it to allow your EventMaster clients to receive configuration information from the EventMaster server.
The EventMaster data directory resides under the MessageMaster IIS virtual directory. It must be configured for anonymous access so that EventMaster clients can connect to it and download configuration data (critical, excluded, and unconsolidated events). This is because the EventMaster client service runs as Local System. As such, it has no network credentials when it contacts the IIS server running the EventMaster Server, and must be allowed in as an Anonymous user.