This is probably too late too help you guys, but I found that simply placing the Auth code before the WP section in the .htaccess file worked just fine. Also, it helps not to add the order or allow/deny bits, as those just seem to confuse Apache on DH. The auth bit works just fine without those statements.
All real subdirectories and password protected subdirectories, and even redirected password protected subdirectories showed up fine. All non-existent pages pointed to the WP 404 page. All permalinks survived.
Edit: Also, changing the Permalinks from within WP doesn’t affect the Auth code, which is outside of the area that WP modifies.
