Okay, I understand that the "fall-through" authentication to Zope will not work with rewrite rules when Apache 1.2.6 is used. Unfortunately the project I'm starting is being done for a shop that refuses to upgrade to 1.2.6. I have Zope working just fine with Apache authentication; for the needs of my project, this method of authentication works just fine. However, I need to know how to properly set up Zope to run in a virtual domain "container", _and_ to only authenticate parts of the object hierarchy at one time. The idea is that we have a website docs.foobar.net that is a virtual domain on an Apache 1.2.6 server, and we need to authenticate any requests underneath docs.foobar.net/manage so that the world can see the pages but only people in our list can manage. Another simultaneous difficulty is finding the proper way to make this virtual domain automatically start in folder "docs" of Zope's object hierarchy. I've used an Alias to translate docs.foobar.net to docs.foobar.net/cgi-bin/Zope.cgi/docs , and it works fine, but I don't have proper Zen mystical knowledge of Zope to understand the _proper_ ways of doing these things, if such ways exist. I have done a scan of Email archives and most of the documentation on the Zope site, but either I'm dumb as nails or just don't know the proper magic keywords to get the information I need. Zope looks great, I've resisted learning a new language but a killer app makes it worthwhile.