it's crazy I can set it so people must log in - but yet SEs can come through :)
That's imposible if you are using .htaccess and .htpasswd. Robots.txt files on the other hand, are only suggestions to spiders to not index your site, and they can choose to ignore the file.
but if I use the .htaccess file when legitimate users access the directory holding dbman..they'll be prompted for that pw of the .htacces file and for the pw for dbman....right?