Resolved. I took a four hours break. Reread the "Unauthorized Versus Error Page" section of
http://bobsguides.com/revolution-permissions.html. It became clear that there is a default ACL for anonymous users (something I never realized all my time with MODx). But where is it defined in the Manager?
I googled "modx revo anonymous user" and arrived at:
http://rtfm.modx.com/revolution/2.x/administering-your-site/security/security-tutorials/more-on-the-anonymous-user-group
So I went back to
http://bobsguides.com/revolution-permissions.html. From there, I then realized there needs to be a Resource Group Access ACL on the default anonymous user group for me to achieve the redirecting I desired.
If you would like them [anonymous users] to be sent to the Unauthorized page instead, you can do the following:
Create a new Resource Group Access ACL entry for the Anonymous User Group with the Resource Group of the protected resources, a Context of "web," a Role of "Member" and an Access Policy of "Load Only." Do this for each protected Resource Group
So I created the RGA ACL on the anonymous UG, cleared cache, used a browser that has never been used to access the manager in a while and that's it.
If you've accessed manager (logged out or not) it might bounce off to the error page rather than unauthorized.
[ed. note: ojchris last edited this post 10 years, 4 months ago.]