RestrictToSSL seems to work pretty much as you suggest. If part of the site map is restricted to SSL, then authentication is based on the ad_user_login_secure cookie as opposed to ad_user_login.
If you try to access this area of the site and ad_user_login_secure is not already set in your browser (regardless of whether ad_user_login exists), then you are required to log in again, only this time using a secure connection. After this, the appropriate cookie is set, and you can wander around SSL restricted parts of the site to your heart's content.
However, if SSL is enabled, the login for non-restricted areas still occurs over regular HTTP, with the same password as for HTTPS logins, so if your password gets sniffed when your logging in via HTTP, an attacker could use that to log in via HTTPS and access secure parts of the site. I think it may be possible to force ALL logins to occur over HTTPS, closing this problem, but I'm not sure how :)
