Thanks for that pointer. I think the solution is to consolidate system graphics into a single directory (active discussion in this thread:
https://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0002oe) , and modify the security system to allow viewing of those graphics by non-logged-in users over https.
We are still mulling over the other two issues above: admin-init inefficiencies and password protection. The quick hack solution is to comment out the big "for all mounted packages" loop and add individual registrations of ad_restrict_to_https for some key pages.
