Robin,
I haven't done this, so I'm guessing that it will work. Somebody else pipe up if this is incorrect...
You can control access based on acs-subsite Application group membership.
My understanding is that you should be able to create a subsite (say, mlist), set it's join policy to closed, and mount a static pages instance under that subsite (say mlist/archive). You can control membership in the groups "mlist Administrators" and "mlist Members", created by the subsite instantiation code. If you already have a member group, you may be able to assign subsite permissions to that group, though I'm not certain.
You then should be able to create a directory "<acs root>/www/mlist/archives" and place your static content there.
/R