SOLVED: The idea is that if the visitor comes from China they have to pass a basic authentication. If you have any other IP address you can visit the site without being hassled (including proxies)
//1400 rules....
SetEnvIf Remote_Addr 222.249.128.0/19 china
SetEnvIf Remote_Addr 222.249.160.0/20 china
SetEnvIf Remote_Addr 222.249.176.0/20 china
AuthType Basic
AuthName "Restricted"
AuthUserFile /www/passwd/users
Require valid-user
Order allow,deny
Allow from All
Deny from env=china
Satisfy any
Just add 'allow from myiprange' or 'allow from myinternalnetwork.com'. The 'Satisfy any' will require either a valid-user or the allow from.
See: Authentication, Authorization, and Access Control
Generally the default config has unrestricted access for everyone
Then you must force authentication for your restricted area by denying all, then allowing just those subnets, followed by any requirements for how they actually would authenticate. Satisfy all is used to insure both policies of access are required.
Caveat!
Every single time I think I understand the rules for how authentication works, I have to futz with the config repeatedly until I get some nuance correct. Use this only as a starting point. Re-read the apache documentation on mod_auth and mod_access in particular, paying special attention to the Order directive. Therein lies your answer.
Hope this helps, and please post your working example if it doesn't match this one, as this is a pretty good recipe to have in an apache cookbook.
--edit--
Testing the above shows that restricted area is forbidden to all except for those from the IP address, who must provide authentication.
It is not clear from your question if users from other IPs need unfettered access to this 'restricted area' or if they are simply forbidden?
This is the code I use to allow all users, deny the ones form China and password prompt those: