I have developed a website which has a structure that can be summarised as:

 htdocs
     .htaccess
     ...
     wp-content
      ...
      uploads
       ...
       Private
        .htaccess
        ...

I need to access files in the Private directory from a Members Only within the website, but protect them from direct access. For example, if I enter the following in a web browser I can access a document directly:

http://www.Mywebsite.com/wp-content/uploads/Private/Admin-Accounts.xls

I thought this could be solved by including the following in the Private/.htaccess file:

order deny,allow
deny from all

However, it doesn't seem to matter what is in the Private/.htaccess file, I can still directly access files in the Private directory. The contents of the .htaccess file in the root directory seem to over-rule. If I search the site I find .htaccess files in numerous directories. What defines which one is in use?