I studied the logs you sent me privately, and can confirm you that the player is not providing any password. HFS cannot let it pass, since the resource is protected. So far so good.
I confirm you as well that your files are NOT protected.
I enter the full url in my browser and the file was provided without requesting any password.
I can tell you more: even the listing is not protected. Although you get the error message of the template (ToG), i can get /~files.lst and know all your folders and files.
So, if this is ok for you, no one will blame, and you can stop reading this message here.
---- spoiler ---
If you want the files to truly be protected against anyone (remotely), you should start removing "anonymous" and "anyone" permissions.
I miss some information about what's going on there, but i can suppose you are clicking on the link on the browser, and the player (a different program) starts. This is supposition, but let me continue.
The links are normally of the form "Videofile.avi", and provide no password with them.
The password is instead requested by HFS for every action. The browser remembers the password, and send it to HFS every time, so there's no need for the link to contain the password.
But the browser launches the player, providing it the URL but not the password.
HFS has a feature to force the link to contain the password: "Include password in pages".
For security matters, it's better this to be OFF by default, but you can turn it on if you truly need it.
Anyway, it is my opinion that you will get much more security by removing those extra permissions and enabling this option.
It's all.
Leaving the hall.
p.s.
just one more thing: by giving me the request dump, with the "authorization" line, i could easily decode it and know your password.
I'm not interested in those files, but just to let you know a thing you should know.