Sorry, I misunderstood you.
How are the users accessing the unpublished pages (e.g., Menu, direct entry of the URL in the browser, MODX link tag on the page, raw link code on a page)?
If I’m getting you,
1. The unpublished resources are in a context other than ’web’ or ’mgr’ and there is no Context Access ACL entry at all for that other context.
2. When you look at those resources in the Create/Edit Resource panel in the Manager, the published checkbox is unchecked.
3. (anonymous) users, not logged in in either the front end or back end, can see the content of those resources in a separate browser and no one is logged in to the Manager in that browser at the time.
First, try deleting all the files in the core/cache directory. Then clear the browser cache and cookies in the other browser (the one you’ll be accessing the pages in). If you still see the resource content of those unpublished resources, it really sounds like a bug and should be reported here:
http://bugs.modx.com/.