I agree with the other commenters that detecting "where the call to the function was made and if it was not from the address bar then the function should run" is a bad way to approach client-side security, insofar as there is such a thing.
That said, function scope, closures, and how this relates to the URL bar is an interesting topic. Here's some more context on global variables and scope. The short version is that if you have a function like this:
function test (argument) {
alert('hey')
}
It will be executable via the URL bar because it's in the window/global scope, which seems to be as far as javascript URI's will go. Whereas if you put that same function in a closure:
(function() {
function test (argument) {
alert('hey')
}
})()
...it should be inaccessible as far as executing the function in the URL bar goes.
I would be curious to learn the history of why browser vendors implemented Javascript-via-the-URL...it now has practical usage with bookmarklets and the like, but it doesn't seem to be well-documented.