Hiding the address of the server doesn't help you. Even if you were to put a proxy out in front, now the users can simply connect to the proxy server. You must offer an endpoint your clients can connect to, and this is the same endpoint that can be used elsewhere.
What you really want to do is check that the request for the stream originates on your page and not someone else's. SHOUTcast itself doesn't offer this functionality.
Depending on how your player is set up, you might wish to simply check the Referer:
header. Usually, this will contain the domain of your site. Server-side, you can check to see if it does. If it doesn't, you can reject access.
Another method is to issue a session token that is only good for one use by one user. You can then include it in the stream request query string, like /your/stream?token=0123456789abcdef
. This is what you must do if your player doesn't pass a Referer:
header, and can also be used to authenticate streams outside of your page. (I know you aren't doing this now, but it may come in handy when you start building mobile apps and what not.)
Unfortunately, I don't know of any HTTP progressive streaming server software other than my own (AudioPump Server) that implements these methods, and AudioPump Server isn't generally available yet. If you're interested in trying it out, you can contact brad@audiopump.co. Otherwise, you are probably going to have to write some custom code for this.
You might also be able to finagle Nginx into doing the referrer for you if you get crafty with the configuration. Unfortunately, SHOUTcast isn't compliant with HTTP, so that may make this difficult.