As far as I can see, even when using .htaccess for authentication, it still makes use of the ACL for rights management.
If you, with
http://wiki.splitbrain.org/wiki:tips:htaccessauth#the_htaccess_class, make your users members of a group called "user" and then navigate to the toplevel namespace, click [admin] > [Access Control List Management]. You should be able to let the look like in my screenshot where "ALL" have reading rights, "admin" group can do anything, and "user" group can read/write/create pages.
Edit: Sorry, meant to link to
http://wiki.splitbrain.org/wiki:tips:htaccessauth#htusers.auth.php covering how groups are associated with .htaccess users.