Hi Chad,
When we say that a user is redirected to the configured value for IdleTimeoutURL, it means that when SMSESSION cookie
was set to LOGGEDOFF and the user is redirected to IdleTimeoutURL page as per design or Webagent code trigerred for IdleTimeoutURL.
A user should be successfully able to navigate through unprotected content on your website without any time restriction
from Webagent if the user never started a SM session (Authenticated and AZ through Siteminder).
For protected pages,he can be challenged and Authenticated to begin a session.
Your last sentence in the question does open a room for solution when you say :
"Or possible just has to log in again when trying to next view access protected content."
if you remove-IdleTimeoutURL, there will be no redirection after the timeout and hence when user sends a get request for a unprotected page -IsProtected() will be called but User wont be challenged by Webagent for as a part of Authentication processing.
In this way, a user should not be challenged for unprotected resources and should be challenged(login page that you want) on requesting protected resources.
I donot have lab to test and confirm this, but believe my uderstanding is corect, give a try.
Also its purely your call as it has different user experience.