I would not trust any "implicit" attempt at authenticating the user, via IP address, hostname, whatever. If you're looking at securing your application, you might want to consider distributing UserID's for your users and requiring them to authenticate when they enter the protected area of your site.

Unfortunately, if you automate user creation, you're stuck in the same boat unless you take extra steps to try and verify the user's identity. Even requiring a valid e-mail address before their username is accepted isn't always a fool-proof way of establishing identity, as Hotmail accounts are available to anyone that wants one (or 10).