I don't know what the scripting problems are for public access, but if it's bandwidth thieves, then you just put an htaccess file in every image folder, and you have the htaccess script in your cgi-bin. It will deny remote linking of various filetypes like jpg, gif, swf, html et al. If it's scripting problems to deny public access to some objectionable or private images, then those go into the password script you use, meaning they're blocked unless the user has logged in already. It would be tedious to have to update it, but maybe you could pay some gopher to do it daily, using the incremental receipts asociated with allowing the public in (since some percent of them will buy prints, t-shirts etc.).