I'm not clear on the use of the Non-authenticated role. The documentation says that a new user can be assigned the Non-authenticated role without email verification, and then be assigned to the "authenticated user" role once they follow the link in their welcome e-mail. In addition, "It is HIGHLY recommended that you set up a 'pre-authorized' role with limited permissions for this purpose".
However, my understanding is that all new roles inherit the permission of the "authenticated user" role. So how would assigning a user to a pre-authorized role have any fewer permission than assigning them to "authenticated user"?