diff --git a/README.md b/README.md
index 06dad640..4594a1c0 100644
--- a/README.md
+++ b/README.md
@@ -719,6 +719,11 @@ on windows xp/7, connect using the explorer UI:
 on windows 7/8/10, disable wpad for performance:
 * control panel -> [network and internet] -> [internet options] -> [connections] tab -> [lan settings] -> automatically detect settings: Nope
 
+known issues:
+* winxp cannot show unicode characters outside of *some range*
+  * latin-1 is fine, hiragana is not (not even as shift-jis on japanese xp)
+* win7 cannot access servers which require authentication unless you use https or [enable basic authentication](./contrib/webdav-basicauth.reg) for http
+
 
 ## file indexing
 
diff --git a/contrib/README.md b/contrib/README.md
index 615338c5..b1297d6b 100644
--- a/contrib/README.md
+++ b/contrib/README.md
@@ -29,6 +29,9 @@ however if your copyparty is behind a reverse-proxy, you may want to use [`share
 * disables thumbnails and folder-type detection in windows explorer
 * makes it way faster (especially for slow/networked locations (such as copyparty-fuse))
 
+### [`webdav-basicauth.reg`](webdav-basicauth.reg)
+* enables webdav basic-auth over plaintext http
+
 ### [`cfssl.sh`](cfssl.sh)
 * creates CA and server certificates using cfssl
 * give a 3rd argument to install it to your copyparty config
diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py
index daaf6b48..0b662870 100644
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@@ -411,6 +411,7 @@ class VFS(object):
         will_move: bool = False,
         will_del: bool = False,
         will_get: bool = False,
+        err=403,
     ) -> tuple["VFS", str]:
         """returns [vfsnode,fs_remainder] if user has the requested permissions"""
         if ANYWIN:
@@ -432,7 +433,7 @@ class VFS(object):
         ]:
             if req and (uname not in d and "*" not in d) and uname != LEELOO_DALLAS:
                 t = "you don't have {}-access for this location"
-                raise Pebkac(403, t.format(msg))
+                raise Pebkac(err, t.format(msg))
 
         return vn, rem
 
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 498afa83..fb21a1eb 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -671,7 +671,7 @@ class HttpCli(object):
         if not self.can_read and not self.can_write and not self.can_get:
             if self.vpath:
                 self.log("inaccessible: [{}]".format(self.vpath))
-                return self.tx_404(True)
+                raise Pebkac(401, "authenticate")
 
             self.uparam["h"] = ""
 
@@ -731,7 +731,7 @@ class HttpCli(object):
             ]
 
         props = set(props_lst)
-        vn, rem = self.asrv.vfs.get(self.vpath, self.uname, True, False)
+        vn, rem = self.asrv.vfs.get(self.vpath, self.uname, True, False, err=401)
         depth = self.headers.get("depth", "infinity").lower()
 
         if depth == "infinity":
@@ -2502,7 +2502,7 @@ class HttpCli(object):
 
     def tx_ups(self) -> bool:
         if not self.args.unpost:
-            raise Pebkac(400, "the unpost feature is disabled in server config")
+            raise Pebkac(403, "the unpost feature is disabled in server config")
 
         idx = self.conn.get_u2idx()
         if not hasattr(idx, "p_end"):