Can OWASP ZAP be performed on a protected website?

I am new to ZAP 2.5 and I have these questions that are yet answered as of the moment:

1. Can ZAP be performed in a protected website? Note that I don't know what method is used to protect the website. But whenever I try to perform ZAP with it, it only checks the Log In form of the website; ZAP doesn't dig deep down. Is it normal knowing that the website is protected?
2. I am not hacking the website; its just that my mentor wanted me to know if I or ZAP has the ability to perform security testing with our website even if it is protected. Is it really possible? If so, how?

I hope that someone would enlighten me with this, because so far, I haven't found any answers yet. Thank you!