Just a few ideas - although we do not believe this topic is related directly to r.a.d.controls. RSS Aggregators fake a GET request to the RSS feed - in a sense, they emulate browser requests. If the RSS feed is protected with some kind of authentication that does not allow browsers to access the feed, we believe this is pretty much the same with aggregators.
In essense, aggregators should not be able to load protected RSS feeds (if they do not support username/password option for example).
All the best,