Ok, I managed to solve the issue by removing the authorization element from the root web.config:
<authorization><deny users="?"/></authorization>
It is still unclear to me how this setting conflicts with MVC architecture. I used this so resources sould be authorized to the public explicitly (not limited to actions and views).
What's even stranger is the odd behavior with one action being allowed and not the other.
I will surely adapt to the MVC way for other types of resources. I wish that would work fine with MVC.
Thanks everyone for taking the time to look into this. I appreciate.
I hope this helps someone else.
Regards,
Fábio