If you have access to your server you can simply remove the user account permissions from the folder(s) for the Anonymous Web User (usually the IUSR_computername account)

IIS will then force a user authentication. There are some IIS settings you may need to change to allow browsers other than IE to log on successfully, notably you need to disable challenge-response authentication and enable plain-text authentication. This is done with the IIS service manager.

After authentication, IIS will then impersonate the logged-on user for subsequent permissions.

IIS is a frightened girly man when it comes to handling PHP authentication. I know what you are thinking: be a real man and run Apache. I wish I could. Unfortunately, the client runs IIS and I'm not fightin' city hall. Too short a deadline. Oh well, someone's got to pay the bills and tuition.

Thanks for your reply,

Very kind of you.