I'm sorry, but this is not quite clear to me.
An ACL rule consists of three entries: (1) the resource, (2) the group or user and (3) the right which is assigned to the user or group for that resource.
Hence, I think you might mean '*, @ALL, none' when you say 'when all is set to none'. If this is the case, that might explain why normal users can see neither pages nor images in the root namespace. It does, however, not explain why you do not see those when logged in as administrator. The ACL does not apply to administrators; administrators can access everything.