Since many users can not modify apache configurations or use htaccess files, the best way to avoid unwanted access to include files would be a line at the beginning of the include-file:
<?php if (!defined('APPLICATION')) exit; ?>
And in all files that are allowed to be called externally:
<?php define('APPLICATION', true); ?>
Balu