What version of Kentico are you running?
I'm not sure what would cause the opposite to happen - I would assume that the GUID / permanent URL would go through the Kentico system because it has to resolve it. Using a direct path means that IIS can serve the file directly (because it's physically located on disk on the server), so no Kentico permissions can be checked.
Do you know if you have the
runAllManagedModulesForAllRequests="true" option enabled on the
system.webServer/modules section in your
web.config file? That may have an effect on it, as well.