Mmm, yeah, at the moment that's what happens, the trouble is that people can still type in the address bar, for example: http://fake/images/private/fake.jpg and view it. The login uses a cookie, but it only checks for a cookie on an actual page... not a file....
wiggles

edit: sorry I didnt think it would try and link that.... the address was an example.