I know how to protect my static (HTML) pages in IIS6, and how to do it using the IIS7 Integrated Pipeline, but how can I protect my HTML pages from unauthorised access in IIS7 when running in Classic Mode?

It's an ASP.NET site using forms authentication.

ASP.NET forms authentication has nothing to do with resources that aren't handled by ASP.NET, like HTML files. Two options:

1) Tell ASP.NET to handle the static file types you are concerned with (HTML, etc)
2) Disable anonymous access for your site

But now you've got me curious... how does this change with IIS7 Integrated Pipeline vs Classic mode?

IIS Classic Mode is the same as IIS6, except you can't use the IIS manager interface to do it; you have to edit web.config directly. See this guide for details.