yes,
but i cannot ask him changed for me, do there have any other way can make it securty. i found i can not access xxx.ini.append file, so can i rename all ini files under settings to ini.append or delete theme all, only left files under override and siteaccess.
http://xxx.com/settings/xxx.ini.php files are readable and you cannot place a .htaccess there is no hope for you :-)... Still liek said before talk to your host
another idea could be to place a .htaccess in setttings/