I think both results are related. The anonymous notification would not have an order detail link. I think what happened in your case is at some point you were logged in and therefore the UserGuid on the cart was populated and remained populated even though you subsequently logged out therefore it sent you the authenticated notification that does have an order detail link but since you were not logged in (or were logged in as a different user) when you clicked the link that page was not allowed. Logging out does not clear the userguid on the cart so it remembers you after that unless you login again as a different user in which case the userguid would get updated to the currently logged in user. The cookie should be a session cookie so if you close the browser it should no longer be valid and a new cart would be established on the next browser session.
I think if you try it without ever logging in you will see it works correctly and there is no link to the order detail in the notification, the email itself is the only notification if we don't have a user attached to the order. As long as we do have a userguid populated we try to keep that so that the order can appear in the user's order history.
I will fix the problem where the form is showing if authenticated, it should not do that if there are no roles allowed to promise to pay later. I'll put out an update for that very soon and post again on this thread when it is ready.