Torben,
If you look back a little in this thread I discuss how you might achieve this by patching ad_login_page so it thinks some of those directories are part of the "login" page, so you can serve the content over https without logging in.
One danger of serving mixed http/https content is that the user will get a warning box that says basically that "some of the content on this page is not being served by https. Do you want to show this content?" This can scare non-technical users.
