I read the HTAccess wiki, setup the .htaccess and .htpasswd files and not only did it list the files in the directory, but allowed me total access - without any username/password. Not good.
Next I went into the CPanel, and I found the Htaccess/WebDAV section and added the directory to be protected and username/passwords, then saved it.
No different, I could still access the directory and files without any username/password required.
Does this CPanel function not work? Does it have something to do with the servers? According to the wiki, this should work. Or is there something I am missing here? I used php
$dir = dirname(FILE);
to confirm the directory was correct - and it is the same one that CPanel used to create the .htaccess file.