First problem is the .htpasswd file, need to force MD5:
htpasswd.exe -m .htpasswd guest
Then I needed to specify security for the directory in .htaccess, set up password access as normal, specifying the AuthUserFile and require valid-user.
Then comes the clever bit "Satisfy Any" - this instructs Apache to look for *any* of the criteria, rather than the default all. So if the ip address is correct, the user is not challenged for a password.
AuthName "Madly Secret Stuff"
deny from all
allow from localhost
allow from 127.0.0.1