There are actually only frou directories in Spam Board which the user actually has to access ever: /, /redirectors/, /admin/ and /admin/redirectors/. Most of the others aren't really in need of locking down. There are two exceptions.
This directory contains the active user sessions. By default, PHP uses /tmp/ as the place to save those.
The default directory isn't accessable to anyone from the outside, but the sessions directory is. So it might not look like such a good idea to use a directory under the site's WWW root. Spam Board still does, and the reason is simple. Every user on the machine running the webserver has read and write access to the /tmp/ directory, so everybody on there would be able to read and manipulate the users' sessions. A security nightmare!
The ideal place to put such a directory would be one level below the WWW root, i.e. a place which people can't access via HTTP, but still only this user on the host has access to. Unfortunately, many 'shared hosting' offers put people directly into their WWW roots. In order for Spam Board to still run on such accounts, the only place the sessions can be saved is within the WWW accessable part.
The webserver has to reject all HTTP rejects to any files in the sessions directory. The installer will set this up automatically if you're running Apache. For reference, here's the .htaccess file which is created in the directory.
deny from all
To test this, just point your browser to one of the files within the sessions directory and see what happens. If you get the reply '403 Forbidden', everything's fine.
If you can still download the file, your server's probably configured not to allow per directory overriding of the global settings. Make sure 'AllowOverride' is set to 'All'. If you're not the server's administrator, ask your admin to do it for you. If he or she refuses, get a better host (there's really no reason why a host shouldn't allow you to set 'deny from all' for a directory).
The install script only handles blocking HTTP request automatically for Apache. If you're running another webserver, you have to set this up by hand.
If you're using a database system other than SQLite, you don't have to worry about this directory. If, however, you are using SQLite, this is where your database will be stored - and you don't want your whole database to be downloaded by the whole world.
The same method as for the session directory applies, so see above for the details.
While only the above are crucial, only very few directories actually require HTTP access to be allowed:
All other directories can be locked down for extra paranoia mode. The installer script will do this automatically if running on Apache.