Could you also meanwhile clarify, why if I add new module 'user2' with 'register' view I also need to add new policy record for Anonymous to allow access user2/register, while I have no any such record for kernel's user/register?
If you look in the default site.ini, you'll see that user/register is on this list:
[RoleSettings]
# [...]
# A list of modules to omit policy checking on,
# You should add 'role' to the list if you loose
# access to the role module
# You can also specify views by adding a / and the viewname
PolicyOmitList[]
PolicyOmitList[]=user/login
PolicyOmitList[]=user/logout
PolicyOmitList[]=user/register
PolicyOmitList[]=user/activate
PolicyOmitList[]=user/success
PolicyOmitList[]=user/forgotpassword
PolicyOmitList[]=layout
PolicyOmitList[]=manual
PolicyOmitList[]=ezinfo
PolicyOmitList[]=paypal/notify_url
PolicyOmitList[]=switchlanguage