For subsites with our standard configuration, in order to establish a sub-subsite that only the pagemasters can access (for example, to experiment with CommonSpot privately), follow the general instructions for modifying subsite security, including clearing the check-box in step 5, and with the following particular steps at step 6:
In "Content Security" click on the "pencil" icon to edit the rights for both "anonymous users" and "authenticated users", setting them both explicitly to have no rights (don't just un-check "Read").
For both categories of user, do not remove that category (saving with no box checked will remove the category; if you do that, fix it right away by clicking on "Add Group" at the lower-left, and select the group, which should be near the top of the list, then click on "No Rights" if it is not already selected).
When done, close the lightbox.
Any subsite that does not have Read access for Anonymous in Content Security will be password-protected.