This article from Microsoft details how to implement transport security with an anonymous client.
http://msdn.microsoft.com/en-us/library/ms729789.aspx
I'd like to know if it is possible to achieve the same goal, using netTcpBinding instead of WsHttpBinding and hosting the service as a Windows Service.
Yes, I don't see any reason why this wouldn't work over netTcp Binding. By default, netTcp is using transport level security already, but also Windows credentials. Just turn those off, and you should be good to go.
<bindings>
<netTcpBinding>
<binding name="SecureNetTcp">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>