i think others have it right when they say, anything you dont want accessed directly via a url, keep outside your web root, and have your C::A pick it up from another part of the filesystem and serve it up.

i'm about to do something pretty much the same with user photos. i dont any old user getting a hold of other users photos, so i will store them outside the webroot where they are not accessable directly via a url, but accessible by the web server user