You can have a different authentication  type for each Web Application
Zone. Simply extend the existing WebApplication to a new URL. Then in
Central Admin and IIS adjust that URL to use NTLM non-ssl
authentication. If you go to that URL you'll get the same content but
NTLM authentication. The original URL will still be Basic with SSL.

When you do this don't forget your to extend Shared Service Provider as
well. Your SSP needs to be extended with the same zone settings as your
sites in order for it to return the proper paths for all extended sites
in search results.

Actually, I just noticed the question was about 2003 and my answer was
for 2007.

But in 2007, NO you wouldn't have to extend the SSP as well. The paths
returned from things like search will be based on the Alternate Access
Mappings of the original site. The SSP is normally on a custom port and
that address is only used to administer the SSP. If the SSP Web
Application also hosts MySites you may have to extend it to get Mysite
access. But search results will not be affected.

Your right. My MySites is on a separate web app, thats why I needed the
additional extending when crawling the main site content. The Zones
needed to matchup.

One issue worthy of note is that if you have alternate access mappings
that means a new domain. Every time you cross domains you have to
reauthenticate, even if it is the same authentication  method (integrated
works invisibly for IE Intranet Zone sites, but it still
reauthenticates)

What I have done (just yesterday so we'll see how it turns out) is given
my root / website both Integrated and Basic Authentication. ( As
suggested by a blog post that I can no longer find: ) I created a
virtual directory and a redirector forces it to do basic authentication
and then return to the home site. I have to sign out to return to
integrated authentication and client integration (I get mixed results
doing this) but if I'm already signed in with integrated auth, I just
have to link to

https://share.point.app/[VIRTUALDIR]/[MANAGEDPATH]/[SITECOLLECTION]

And it will reauthenticate to basic authentication at
/[MANAGEDPATH]/[SITECOLLECTION].

Using this method I can use the exact same URLs and bookmarks and it
will check my session to see what entry point I came through and which
authentication method it will use for the rest of the session, instead
of making me authenticate AGAIN because some of my links are domain1 and
some are domain2 and the cookies don't match.

I didn't completely follow what you are doing here, but keep in mind
there are some known issues with Office clients when both NTLM and Basic
are enabled in the same IIS web application. If you are depending on an
NTLM failure "falling back" to Basic, this doesn't work properly.

Take a look at
www.microsoft.com/.../en
-us/stsc04.mspx - the approach is to use 2 virtual servers (one
NTLM/HTTP(S) for internal and one Basic/HTTPS) pointing to the same
content.

Whose machine and camera shal we use for this ?