For subsites with our standard configuration, in order to establish a sub-subsite that only the pagemasters can access (for example, to experiment with CommonSpot privately), follow the general instructions for modifying subsite security, including clearing the check-box in step 5, and with the following particular steps at step 6:
In "Content Security" click on the "pencil" icon to edit the rights for both "anonymous users" and "authenticated users", setting them both to have no rights.
For both categories of user, do not remove that category.
When done, close the lightbox.
Any subsite that does not have Read access for Anonymous in Content Security will password-protected.