man httpd makes it clear that the .htpasswd authentication does not apply to subdirectories.
.htpasswd exists in the directory of the current request, bozohttpd will restrict access to documents in that directory using the RFC 2617 HTTP “Basic” authentication scheme. Note: This does not recursively protect any sub-directories. Now, if one writes a script to replicate .htpasswd down the subdirs, that could have solved it. However now, most annoyingly, the browser would popup the password dialogue when you try to go to subdirectory. Has anyone come across this situation and how do you deal with it. I like bozohttpd's minimalistic approach and would switch away from it only as a last resort. Mayuresh