Anybody? Anybody? Bueller?
Found the answer. To force the rewrite rules in my site's main .htaccess to ignore subdirectory "foo", I inserted the following code into the beginning of the main .htaccess, before any other rules. This allowed the standard password-protection procedure to apply to "foo" while leaving the rewrite rules in place for the rest of the site.
><IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^.*foo.*$
RewriteRule . /index.php [L]
</IfModule>
