Using virtual hosts to bypass authentication is not really a good idea as it solely relies on the assumption that someone outside won't know the internal vhost name. And as (AFAIK) this only needs to be send in the HTTP header it would make it very easy to manipulate (an attacker would only have to change his hosts file).
Update: Silly me, above example isn't about name-based vhosts...