I have 2 blog posts on security and such regarding the file system approach. Take a look:
Also if you want to get to a more granular approach, you might want to use web.config in each of the directories you want to restrict or grant access to. For instance, take a look in the /CMSPages directory, there is a web.config file in there which grants and denies access to specific files within that directory. I recommend creating a web.confg for the directories you want to restrict or grant access to. Keep in mind if you get too restrictive, the CMS won't properly function.