This might be the simplest, though I was hoping to avoid any code-level hack since it may be more difficult to keep up to date with MW releases. Though MW auth would be better than the htauth popup that no one likes. I didn't realize this could be done in LocalSettings, I thought it was cached, I will experiment with this Wednesday.
No, it isn't, and even if it was - you could create some small extension doing the same check during initialisation :)
It appears that if Satisfy any is present, REMOTE_USER isn't passed on.
I've just tested such setup, and REMOTE_USER is passed in my case... (of course, only if access isn't allowed by host-based auth)