[eluser]ggoforth[/eluser]
There's probably a ton of ways to do this, but the most obvious to me is that you need to develop an authentication method and then run that method on every page you want protected. I do this in my own work with Hooks, where you can describe the hook in hooks.php, and have it run post controller constructor and check whatever session variable you create to see if they are logged in. If they aren't redirect to a login form, if they are, let them on to the page.
Check out hooks, they have become a super valuable tool in my own sites, as it cuts down on A LOT of code I would have to otherwise put in each controller.
GReg