Two ways to do it:
1: Proper way
/homedir/ - where your website is
/homedir/private/ - where your private files are
/homedir/httpdocs/ - public part of the website
2: Another way
/httpdocs/private/ - private files
/httpdocs/private/.htaccess - Order allow,deny Deny from all
/httpdocs/ - the rest of the files
However, you should know that should your webserver hang up, or change some particular settings - your .htaccess file might become inactive.
Which means that all your private files will become available via browser.
That's why first way is prefered over .htaccess restrictions.
What else is possible? Code level restriction:
In every public php script define a constant:
define("MY_SECRET_CONSTANT", 1);
In every private php script check if constant is defined on the first line of the code:
if(!defined("MY_SECRET_CONSTANT")) { die("Cannot open the file directly."}