This happens because the Guest account is enabled in Active Directory without a password. If you do not want to allow non-domain users to be authenticated as DOMAIN\guest, you should disable the Guest account in Active Directory if it is not required. If the Guest account is necessary, you should configure a policy to control access for the DOMAIN\guest user on the ProxySG. Here is a sample CPL policy that can be added to the local policy file that denies the Guest account Internet access. For further information on how to add CPL to the local policy file, please see 000010101.
; BEGIN Deny AD Guest access <Proxy> realm=IWA user="DOMAIN\guest" deny ; END Deny AD Guest access