no, bot's generally don't accept cookies (that is, most do not), they can however be instructed to accept them, so you cannot rely on them not accepting cookies nor them accepting cookies. sorry. for acl-thingies, I'd go for the IP. Most bots, especially the ones who run amok on your site without checking robots.txt aren't coming from dynamic IPs in my experience, but are running on dedicated servers or at universities and thus can easily be blacklisted by IP.

Although bots can be programmed to mimic human behaviour, it's futile to attempt to keep them out by giving them cookies. First of all you need to be able to identify them as non-human with a certain degree of accuracy. Look at the user-agent string and the IP, but most of all look for unusual behaviour like following hidden links, filling in hidden form fields, or eating through your bandwidth too quickly.

Look in to Project Honeypot. Their main focus is preventing email harvesters, but they're starting to tackle comment spammers as well now.

Ok, where is the best place to put a hidden form field so that it causes the most annoyance to the bot?

Is there much overhead to a hidden form field? does it slow down the legitimate user much?

Ok, where is the best place to put a hidden form field so that it causes the most annoyance to the bot?

Why would a hidden field bother a bot?

I guess there's two kinds of robot activity to block.... There's blocking (nasty) robots from your site entirely, perhaps to avoid wasting unnecessary bandwidth or harvesting your content and then there's preventing robots (any kind of robots) from posting on your forms. Preventing robots from posting on your forms is generally the 'security' hole you need to plug.

This long thread has a lot of useful tips on the subject:
Frustrated with Spambots Coming In through Webmail Forms [webmasterworld.com]