Some observations from someone who actually deals with these issues for a living: Client-side scripting is futile because it can be disabled. Server-side scripting is the only solution and so far I haven't seen more than two flavors of it for Apache servers: 1. Protected .htaccess image directories as mentioned above. It's clean, it's simple, it works. If you have thumbnails for Renderosity downloads, don't put them in a protected directory. 2. Linking IMGs to CGIs such as Perl scripts which take an ID argument in the URL, look the ID up in a table where a given ID corresponds to a given filename, then feed the image data to your browser directly, but check the IP address of the document/browser making the request before serving the image data. [In other words, the same IP checking mechanism as .htaccess.] RBMA, a content manager for online newspapers, protects The Family Circus in this fashion -- King Features Syndicate can show the cartoons on their site, but regular shmoes who hotlink to the same URL will have an alternate warning image served to the browser instead. #2 is most useful to people who: a) aren't using Apache servers (e.g. NT boxes), b) haven't been given permission to use .htaccess directives or c) need a highly customizable solution for multiple exceptions to IP blocking rules. #1 has the advantage that other than relocating your images to another directory, it's about as low-maintenance as it gets.