the secured kmz may also be using the kml tag along with and
I have implemented a kmz with security in the past using google earth desktop app, it was tricky and things aren’t documented that well .
The method we used for security was a link in the name of the top folder of the kml document to a web page. Users needed to use the browser within google earth, having the “show web results in external browser” option turned off. after logging in, from the server is looked like a regular http request
If the kmz you are loading hits a web form, try logging into the web site serving the kmz before hand in another tab or via hitting the login page with an iframe may work establishing a user session, that may change the response you get back.
the KMZ you are using, what is the data that it is loading? is it linking to a WMS service by any chance. some WMS services will initiate basic authentication. If this is the case,…I’m speculating here…, loading the WMS directly may work …
also the service your hitting may have the data deliverable in another format, such as json via another web service call, it may be easier to work with that …