From the example in Apache Authentication, Authorization, and Access Control [httpd.apache.org] documentation, with the addition of a SetEnvIf [httpd.apache.org] directive:

 SetEnvIf Request_URI ^/local_URL-path_to_unprotected_file$ unprot
 AuthType Basic
 AuthName Protected Files
 AuthUserFile /www/passwd/users
 Require valid-user
 Order allow,deny
 Allow from unprot
 Satisfy any

Jim

Thanks, but i'm having trouble getting this to work.
specifically, the first line:

SetEnvIf Request_URI ^/local_URL-path_to_unprotected_file$ unprot

i want requests to the homepage to be allowed only, eg. [domain.com...]

I've tried this:

SetEnvIf Request_URI ^/$ unprot

without success. What am I doing wrong?

Maybe you have to name the file, ie:
SetEnvIf Request_URI ^/index.ext$ unprot

This probably won't expose the filename to the user, I haven't tried it, let us know.

tried that too with no success.

Excuse me if this is a stupid comment, as I am by no means an expert, but can't you simply keep this particular file somewhere else than in this protected directory?

basically, the page is a holding page for domain so cannot be moved. for various reasons, the rest of the website is still there in the root directory and still needs to be accessible by certain people. Because of certain url paths, it would be a painful task to move these so I wanted to avoid it if possible.

where as before, it was not imperative that the pages were hidden from the general public, it is now, and assuming no one will find the pages because there are no links to them is also wrong, as google bots in their activity have managed to find a link into the site and now has several pages indexed!

I have now moved all the files save for the holding page and given up, although i am still curious as to how this could have been resolved if anyone can think of anything.

The ^/$ pattern in your code above was correct, and should have worked.

Did you flush your browser cache before/during testing?

Jim