The access to a folder that contains content images sub-folder to the outside world can be given by using the next setting in the web config:
<location path="Content/Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
To deny access to your documents folder you should do in similar way:
<location path="documents">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>