And yes you can. The trick is to make the server reject the request before it tries to decode it or before it realises that the ressource is HTTP auth protected. The easiest way to do this, is requesting an url like http://192.168.1.1/%. The broken URL encoding will result in a HTTP 400 Bad Request error on many servers (tested against Apache, IIS and some home routers). The only culprit is Internet Explorer 7 which is unwilling to send such requests. (Similiar results were made with requests like http://192.168.1.1/%2e%2e ).
However there are more tricks to make servers refuse requests that will work even in Internet Explorer. The simplest one is to request a very long URL. Something like http://192.168.1.1/AAA...LOTS_OF_AAAA..... (which even works against Google's homemade server).
So far so good... Now you know how you can use simple HTML to not even scan, but also scan without triggering HTTP auth popus.