I'm convinced there has to be a dupe of this somewhere, but I couldn't find it easily:
Given an asp.net application that in itself uses Forms Authentication, what is the best practice for securing a public-facing demo site such that nobody who is not in the "in crowd" can see the site at all?
You might want to try using a different port other than 80 for the site. It's not the most secure thing in the world if you really don't want people to know about it, but it is definitely security via obscurity. It doesn't prevent you from using your forms authentication, but you will probably need a little extra configuration to transition between http and https traffic neatly.
So if your site is http://test.org and you also set up your demo site to be http://test.org:9666, any regular traffic to the site will hit the non-demo site. That may not be clear, but I hope it gets the idea across meaningfully.