The ability to natively password-protect iWeb-Sites is only available to those that publish to .Mac. I suspect it is a server side .htaccess like setup, regardless of the technology actually used. Otherwise, people often use iTweak to do the same, meaning people who publish to a folder and upload to a server that is capable of running .htaccess files. Consult your webhost if not sure.
If you cancel the login or purposefully type in the wrong credentials and get a forbidden error, combined with the fact you view source and there is no HTML form with the login fields, chances are it's server side protected. I'm sorry but I could not find any documention on specifically the native technology being used.