Recently a customer was running into an issue of having a publishing site with anonymous access displaying "All Site Content" (the _layouts/viewlsts.aspx page) to anonymous users. This was a destination site in a WCM scenario which received all its content through content publishing jobs. At first I thought lockdown mode had not been enabled. But it was enabled. Strangely, two other farms (the source farm and another destination farm) didn’t exhibit this behavior and properly prevented access to the _layouts directory for anonymous users.
The solution was found in an anonymous post on the Portalnd SharePoint User Group site. The full thread is here.
Our fix was to uncheck, apply, and recheck, and apply anonymous access in the root site under "User and Permissions". This issue can occur when using publishing sites and content deployment which automatically activates the hidden lockdown feature "ViewFormPagesLockDown". If this feature is activated after anonymous access has been enabled we found that simply disabling and re-enabling anonymous at the root site (not Central Admin nor IIS) fixed our problem by preventing anonymous access to the "All Site Content" page.