Yes we have the Requires Authentication choice also selected on the majority of the site so I guess I could eliminate the denial for unauthenticated user as this is a duplication. Good point.
Both internal and external users go through openid but we do have roles setup that contain customers, internal users, and clients, external users. But as I stated, if I change the security setting on a page to deny the external users and then have a user with that role login they can access the page. Some how the security is not being correctly determined. THe only thing I have found so far is to deny all and then only global admins can access the page but I don't want to assign alot of people the global admin role who really should not be given that level of access.