This is how would approach this problem (variation of your second idea).
create a dir called images outside of our document root.
In the document root, create a file called image.php which will act as a despatcher by first checking if user has permission and then load the image, else throw an error like this (example):
<?php
// Start PHP Session
session_start();
// Get Request Param
$image_file = isset($_GET['file_name']) ? basename($_GET['file_name']) : '';
// Check if current user has permission here, e.g. using Session?
if ($_SESSION['can_view_image'])
{
// Check If The Image File Exists
if (file_exists('../images/'. $image_file))
{
// Get File Ext
$file_ext = trim(end(explode('.', $image_file)));
// Set Content Type Header Based On File Ext
switch ($file_ext)
{
case 'jpg':
case 'jpeg':
header('Content-Type: image/jpeg');
break;
case 'png':
header('Content-Type: image/png');
break;
}
// Load Image
readfile($image_file);
}
else
{
// Error
exit('Requested image file does not exists on this server.');
}
}
else
{
// Error
exit('You do not have permission to view this image');
}
?>
Usage would look like this:
<img src="/image.php?file_name=some_important_chart.jpg" />
Users with the permission will see the image, user's without permission will see broken image.