This works great, my images are in protected directory and I can show it. But if anybody types in the url www.mydomain.com/products/image/1.jpg, …/2.jpg, …3.jpg, the images are accesible to everybody again…
You should also make so that the path /product/image/1.jpg is not a real file.
The base htacces is tought to serve a file if exists, and if not exists to pass the url to the application, therefore a real path will always take precedence on the application.