Do you mean to say that all http traffic is secured?? Whilst there is no green lock?
Does the URL say https:// ? If so, then yes, all the traffic is encrypted. You can confirm this yourself on my site, depending on which browser you're using. Using Chrome, I don't see any easy way to confirm it; it just gives you the red "not secure" warning. But if you use Firefox, you'll get the green lock (after you add the security exception).
The problem is that security isn't binary. Chrome says the site is insecure, because the hostnames on the certificate don't match the hostname in the address bar. In most cases, that would indicate a MitM attack. Firefox says the site is secure, because the connection is encrypted. Which is right? It depends on what you're trying to do. If you go to your bank's website and get a certificate mismatch, you have a problem, because you probably aren't communicating with who you think you're communicating with. But if you browse to the known IP address of your server and get that error, and the certificate doesn't have the hostnames that belong to your server, you really don't have a problem.
This could be avoided by implementing a redirect from https://$IPADDR to https://$FQDN, but that raises the question of which FQDN to use--a stock installation of SME Server will have several hostnames assigned to it, and it's very common for the server to be hosting multiple domains as well (each with its own set of hostnames).