Moving this to answer, since I have a fair amount to throw at you.
So I've got a couple of resources for you. The first is a more basic "How To" on using forms authentication:
And a more advanced primer, that has many scenarios and a little more of an updated approach:
Now the attributes that you're looking at are aligned with the Authorization portion of the process, after authentication has been determined and roles established. Any authorization attribute can be added at the controller or action level.
The easiest attribute to touch on is the [ValidateAntiForgeryToken]. This token is used to make sure that your site is not being used as part of a Cross-site scripting attack. Don't worry about the details, just know that any user action that will modify the state of your application or persistent storage should be flagged with this.
The [AllowAnonymous] attribute does exactly what it says: A user does not need to authenticate before using this action. I also suggest it only be used on actions, it's not appropriate for controllers IMO.
The [Authorize(/*Role,User*/)] attribute is used to lock down an action or controller to either specific users (which is mildly silly) or to users that have an assigned role (groups). This is used to separate where permissions can be exercised in your controller.
If you're coming from a desktop development environment, you might not be terribly familiar with some of the access control methodologies that are in use in web applications. The RBAC standard is the one that MVC is wired for, and it is relatively effective. If you're mildly masochistic and working from an architectural point-of-view, NIST has a number of RBAC resources available for research: