You want to deny all web access to files in a directory, except for those with a particular extension (i.e., a directory with HTML files in it, where you don't want other files to be accessible).
Use a Files container in a Directory container to limit where authentication is required:
<Directory "/usr/local/apache/htdocs"> Satisfy All Order allow,deny Deny from all <Files *.html> Order deny,allow Allow from all Satisfy Any </Files> </Directory>
This method can be easily extended to apply to arbitrary filename patterns using shell global characters. To extend it to use regular expressions for the filename, use the <FilesMatch> directive instead.