Tonight I realised that with default forms authentication turned on, a linked css file (from a link tag in head) will not load on the login page before a user logs in, so the site has no css before the user logs in!!
right before the </configuration> in the web.config file add…
replace myskin.css with any file you wish to grant unauthorised access to! 🙂