Its quite normal when the webs stores cache, re-entry of password is not being asked for the said page or web. I found it useful for exclusive personal computers & hand held devices. But the fact is why we are protecting these, so that it can be visible by a or more than one specific people/s. Till now its OK. but now comes the problem, when the other targeted user doesn't clear the cache(reasons are varied, like- they are not aware of it, in a shared/public PCs they may not have the permission to clear system cache & restarting the system, etc). And it becomes no more protected. :-(
In my thinking, it will be better if there is a option for the admin, to opt for a view without cache, (similar we found in YouTube uploads). If it is possible I will be the first to utilize this.