If you want to create a Web Application which is by default accesible through anonymous access, but specific subsites should be secured the following steps have to be made to realise this situation.
1) Create a Web Application with an Site Collection based on a template like Collaboration Portal. Any other template will do.
2) Open "Central Administration" and open the tab "Application Management". Under the header "Application Security" you will find an option called "Authentication Providers". When you have selected the link the following page appears:
3) Select the Authentication Provider, mostly "Windows" to make any changes
4) Check the "Enable anonymous access" and press the "Save" button
5) Open the Web Application in a browser and login. In our case we are using Windows Authentication and are requested for a Windows logon.
6) De root of your Web Application is shown
7) Select "Site Actions" on the right and select "Site Settings > Modify All Site Settings
8) Select "Advanced Permissions" under the header "User and Permissions"
9) Select under "Settings" the menu option "Anonymous Access"
10) Select the option "Entire Website" and press the button "OK"
So now your whole Web Application is anonymous accesible. The following steps need to be taken to secure a subsite within this Web Application. Select an existing or a new subsite
1) Select "Site Actions" on the right and select "Site Settings > Modify All Site Settings
2) Select "Advanced Permissions" under the header "User and Permissions"
3) Select under "Actions" the menu option "Edit permissions"
4) You will be warned that you're gonna created unique permissions for this Site. Press the button "OK" to continue
5) You will see a slight change in the list of users and the list menu on the top changes. Select under "Settings" the menu option "Anonymous Access". This will now let you change the way how anonymous access is handled for that specific subsite.
6) Because we will make this subsite secure we need to change the option to "Nothing". Press the button "OK" to continue
Your site http://demo will be still using anonymous access, while your subsite http://demo/secured does not use anonymous access anymore. Security for this website can be arranged by adding / removing people and roles.
If you access your site http://demo without logging in you will notice that the subsite you just made secure is not present anywhere in the navigation. When you login via the right top corner you will see that subsite appear again. This is of course caused by to the Trimmed GUI functionality of SharePoint.