Before you go on, you may want to read this report concerning IE and Digest authentication. In a nutshell, the report says that IE won't work with Digest authentication unless the underlying server is IIS. As for NS 4.7, I can't tell you - I never investigated it much further after I read "will probably not work with modern browsers". I try to stay away from stuff that doesn't work everywhere.
As for the AuthGroupFile, you can put it anywhere you want - it'll only become active if you use a "require group" directive, as opposed to a "require user" directive (which dips into AuthUserFile).
Concerning your directory hierarchy: .htaccess files do not merge, so only the "nearest" .htaccess file will be taken into consideration, whether that be in the current directory, the parent directory, or the great great great grandparent directory. If you put an .htaccess file in the ggg grandparent directory, then it will affect all subdirectories beneath it, unless of course, another .htaccess appears in them.
If there is only ONE .htaccess file in the ggg grandparent directory, then the user won't need to be authenticated for any of the subdirectories. If, however, they authenticate in the ggg grandparent directory, and then dip into a subdirectory that has its own .htaccess file (with a diff. authentication scheme perhaps), then authentication would probably occur again (honestly, that's a guess, though -I've not tested it just now).