Use the Satisfy directive, in particular the
Satisfy Any directive, to require that only one of the access restrictions be met. For example, adding the following configuration to a .htaccess or server configuration file would restrict access to people who either are accessing the site from a host under domain.com or who can supply a valid username and password:
Deny from all
Allow from .domain.com
AuthName "special directory"
See the user authentication question and the mod_access module for details on how the above directives work.