When a browser accesses a password protected directory, it changes from anonymous impersonation to a combination of username and password that you entered in login box. This impersonation works fine for the content (HTML pages, images, etc.) located under the password-protected folder.
However, if your pages located in password-protected folders contain images, etc. located somewhere else on you virtual server, the browser can not access them using current impersonation and prompts you to enter another username and password. In other words, it needs to change impersonation back to anonymous to access those files.
The solution to the problem is to have all content (HTML pages, images, etc. that you use in documents in password protected folder) in the same password protected folder or sub-folders under it.
The problem gets worse if you are using FrontPage to publish, especially if you are using shared borders, themes, style sheets, etc. FrontPage uses files in hidden folders (extensions) to produce output to browsers. Therefore, moving all your images to a protected folder may not help. The easiest solution in this case is to create a sub-web and limit browsing to this sub-web to registered users only using FrontPage Permissions tool. Please find detailed instructions in the following Knowledge Base article: How do I Restrict Access To My Site Using FrontPage?
If you absolutely must have content located in a different directory, you will have to track down every file that the content in the password-protected folder uses. You will then need to give the user access to all of the directories in which those files are located.
For example, if you have password-protected folder D:\FTP\username\Htdocs\private protected by user NOTANON, and that folder contains an ASP page which accesses a file in D:\FTP\username\Htdocs, you will need to give the user NOTANON access to the Htdocs folder in HostPilot Control Panel > Web/FTP Server > Web Server > Permissions.
This will NOT work if you are using FrontPage. If you are using FrontPage, you will have to give the user permission to access the entire FrontPage web.