Basic HTTP Authentication in IIS
There may be another way, but simply you can
- create a local user under Windows,
- add them to a local user group,
- remove anonymous access to the folder containing the web site and
- change file permissions to only allow access to members of the local user group
For the IP whitelist, there doesn't appear to be a way to override basic auth by IP address.
Its a bit of a kludge, but you could point a separate virtual site to the same directory and lock it down to nothing other than the local IP. Perhaps use host header to select the new site