if you ban a range of ip's, you ban them! no matter who's behind an ip.
With the beta version of hfs and using macros, you can make a welcomepage that shows up if %folder% = /.
In this welcomepage, you set links to login and, if allowed ip, to next folder.
Also at beginning of your template, you set conditions:
if the folder is not / or no %user% is logged in, then disconnect that request.