Few weeks ago i was fixing a bug in Sharepoint 2010 project available on the internet. The requirement was to prevent access from authenticated users who knows the special Sharepoint addresses (such as _layouts, etc..).
After some research i found the following post:
http://sharepointtechie.blogspot.com/2011/06/blocking-access-to-application-pages.html
This is what the post says:
SharePoint allows this by enabling the feature “ViewFormPagesLockDown”. This feature is activated at the Site Collection scope. All groups / users not having the “View Application Pages” permission will not be able to navigate to pages like “_layouts/viewlsts.aspx” or “pages/forms/allitems.aspx”.
Below are the steps to block access from application pages:
- Identify users / group to restrict.
- Set their permission to “Restricted Read” or remove the “View Application Pages” from existing assigned permission level.
- Enable “ViewFormPagesLockDown” feature using the powershell command (replace the [yoursiteurl] with the right url):
stsadm -o activatefeature -url [yoursiteurl] -filename ViewFormPagesLockDownfeature.xml
The above steps will block all users not having “View Application Pages” permission from accessing the application pages and form pages.
Marco Mansi's Blog 
Leave a Reply