I'm going to assume that "protect files" means you want to restrict folder/file access to certain IP addresses, require a user/password login to access the folder, etc.
.htaccess is a folder specific override. It applies to that folder and all sub folders equally. It was never intended to be placed in the root folder to restrict access only to a specific sub folder one or more levels below. Instead you place the .htaccess file in the folder you want to protect, as you apparently have it now.
If the .htaccess file you have in the root folder basically does what you want, but you have special needs for a particular sub folder under that, you can put another .htaccess file in that sub folder. It can override the rules in the parent/root folder, and either add or remove restrictions for that sub folder.
Putting it in httpd.conf with a directive is the best way to go, and you wouldn't need any .htaccess files in the folders. But if your site is hosted on a virtual server you won't have access to Apache's httpd.conf file, or the ability to re-start Apache to load the edited config file, so using .htaccess files is your only option.
I will gladly help you with it, just PM me. Our company has our own server which I manage, and we host several other business sites on it to help offset the cost of having our own equipment. And since I work from a home office the boss lets me moonlight, so I also take care of another six websites on the side. But I'm a *NIX/Apache guy, so if Microsoft is involved anywhere in this process I may not be much help.
** Sent from my rotary dial phone using TwirlaWord **