Stats is not available without a username/password. However, if someone knows where they are, the files are just sitting there like a challenge. Turns out that the IPs concerned are Trend Micro.
... and I am not the only one dissatisfied with TM:
The mere fact that TM is trying to access the pages means that someone running TM is attempting to get in (as I understand the process).
I just don't want people snooping around and potentially getting in to my stats info. Then they have access to things like user names and locations of files that they have no business seeing.
I want those specific IPs to get a '403 Forbidden' error instead of '401 Authentication Required' - and everyone else to get the 401. However, it seems that there is no way to do that via .htaccess, since the files do not exist as a subdirectory of the main domain. I have no problem with .htaccess syntax, just figuring out how to protect a virtual directory.