Hi Summer7,
It is possible to secure your generated services in this manner. The first thing you'll want to do is disable the webanon user so that anonymous requests can no longer succeed. Removing the user is one way of accomplishing this and it sounds like you've already done that. If you are setting up a new environment at a later date, you can choose not to enable anonymous access when you are configuring your installation using the SAS Deployment Wizard.
Once you've disabled anonymous access, you'll need to supply credentials with every call to your generated web services. Since you intend to use SAS Host Authentication, you will pass your username and password in the WS-Security header of your request. If you are testing in the SOAPUI tool, there are fields in the Request Properties section (should be in the bottom left of the screen when you have the request opened) called Username and Password. You will also need to change the WSS-Password Type in SOAPUI to PasswordText. If you are calling your generated web services from a programming framework, please consult that framework's documentation for information on how to supply values for WS-Security headers.
You can consult the SAS BI Web Services Developer's guide (http://support.sas.com/documentation/cdl/en/wbsvcdg/61496/HTML/default/a003257589.htm) and the SAS Web Application Administration Guide (http://support.sas.com/documentation/cdl/en/biwaag/63059/HTML/default/a003313657.htm) for more information on securing SAS BI Web Services.
Thanks, and let me know if you have any more questions.