The default Authenticate action WILL NOT authenticate the user if during policy evaluation the request also matches a deny rule. The purpose of using the Authenticate action is for efficiency. The logic is that since it has already been determined that the request will be denied, the ProxySG will not go through the additional steps to authenticate the user which saves time and resources on the ProxySG. Proxy administrators who DO NOT need to enforce an internet security policy that requires that they identify users attempting to access blocked sites will choose this option for performance purposes.
The Force Authenticate action WILL authenticate the user even when the request also matches a deny rule. The purpose of using Force Authenticate is to ensure that usernames are logged even when the request will be denied. Proxy administrators who DO need to enforce an internet security policy that requires that they identify users attempting to access blocked sites will use this option for security purposes.
Additional use information: Keep in mind that even when using the default Authenticate action, if policy has web access layer rules that include domain user/group based conditions and those rules are evaluated before reaching a deny rule with NO domain user/group based condition, authentication will still proceed in order to determine whether or not the said user/group based conditions match. However, if the request matches a deny rule and no rules with domain user/group based conditions are evaluated, this is when using the default Authenticate action will deny the request without proceeding to authenticate the user.