I think my previous response in the linked thread still holds:
Within one site definition, the basicauth and the ipfilter will always both apply; it’s not possible to let either/or access the site. Hence the need to use two sites (on subdomains, maybe?), and redirect between them as necessary for convenience sake.