These may be assumptions, but here's my thoughts:

• you're using query string information to hold the authentication info? bad idea
• .htaccess files are the way to go if you just want to serve all content to valid users - and Apache works fine on windows if you have access to the machine.
• you can use seperate .htaccess files in each subdirectory to limit user access further, but this can get messy
• don't store passwords unencrypted in the database. at the very least, use crypt() to hide them, then compare a crypt of what the user enters as a password to what you have in the DB

If you're going to wrap serving the files in a Perl script, use cookies (stored in DB with username) to validate rather than password lookup for each page request. Something like this:

my $q=CGI->new();
if ($q->cookie('sessioncookie') {
    # check cookie exists in DB
    # serve page requested
}
elsif ($q->param('username')) {
    # check password OK, set session cookie 
    # and store cookie in DB
}
else {
    # show login form
}
[download]

but it's hard to comment without seeing some code.

.02

cLive ;-)