I'm using .htaccess to protect directories from access for the first time, and something is happening that I don't understand.

The change I made is very simple: I added the following .htaccess file to several subdirectories in my document root:

<Files *>
Deny from all
This should deny users access to all files in each directory, while allowing the server to have access.

On one web site (production) this worked. On another (staging) it didn't. Every web page's images failed to appear.

I think I understand why the images fail to appear on the staging site: to the server a browser's request for an image looks just like a user's request for a page, and it denies both. Right?

If that's right, I baffled about why images continue appear on the production site. I thought they might be cached, but I cleared the cache and it seemed to make no difference.

I also wonder whether there's any way to do what I originally intended: deny the user direct access to a directory or file while continuing to allow an HTML page to reference it.