I observed the same problem with the Administration Access Levels Accounts 2. I borrowed BlackOps' technique (below) for using an array, and since there was no preexisting admin/includes/config.php on my system (and since it didn't seem to have any affect), I placed all modifications in admin/includes/functions/html_output.php itself. First near the top:
$force_ssl_list = array(
FILENAME_CUSTOMERS,
FILENAME_ORDERS,
FILENAME_ORDERS_PACKINGSLIP,
FILENAME_ORDERS_INVOICE,
FILENAME_CREATE_ACCOUNT,
FILENAME_CREATE_ACCOUNT_PROCESS,
FILENAME_CREATE_ACCOUNT_SUCCESS,
FILENAME_CREATE_ORDER_PROCESS,
FILENAME_CREATE_ORDER,
FILENAME_EDIT_ORDERS,
FILENAME_LOGIN,
FILENAME_STATS_CUSTOMERS
);
define('ENABLE_SSL', true);
define('HTTPS_SERVER', 'https://metolius.loowit.net');
Note this makes the login and customers stats pages also SSL-only.
Then later in the file at the top of tep_href_link:
global $force_ssl_list;
and I replace:
if ($connection == 'NONSSL') {
with:
if ($connection == 'NONSSL' && !in_array($page, $force_ssl_list)) {
and I replace:
} elseif ($connection == 'SSL') {
with:
} elseif ($connection == 'SSL' || in_array($page, $force_ssl_list)) {
Now all works well...
James