Password protection is the best option. Robots.txt will block spiders but the URL may still show in search results.

Never thought about using a PW protection;
but as you mentionned still need to deal with the URL
My problem is that I need it to be live and not on my local machines - aside me it is also accessed by my CSS person and graphic partner -

There should be no reference in search result if you use password protection. This can, however, happen with a robots.txt disallow if links to the test server exist somewhere.

If you use HTTP authentication spiders all receive a 401 or 403 response since they don't supply login credentials, and search engines don't list pages with these status codes.

in that case this should fine since there are no inbound links

You may be surprised at how links can crop up to a site, so I would always advise a password. There's also the potential for discovery via toolbars if you send out a link to anyone.

My problem is that I need it to be live and not on my local machines - aside me it is also accessed by my CSS person and graphic partner

If there wil only be a handful of people working with the site, you can make the site accessible for those IPs. In Apache .htaccess this would be something like:

Order deny,allow
Deny from all
Allow from 111.111.111.111 222.222.222.222

Thanks,
I like that solution.