This is the OS X Server forum — I'm inferring that you're running 10.6.8 client, and not 10.6.8 server — and it's typical to use Server.app (Lion and later) or Server Admin.app (Snow Leopard and earlier) to manage Apache and the virtual hosts with servers. With OS X client 10.6.8, you'll have to create and manage the virtual hosts manually, using the Apache configuration files — that's possible, but involves editing some Apache configuration files.
File protections are entirely system local. If the protections were directly extended, then I could establish user karl_kaboom on my systems, and have full access to your files. But your local files have to be accessible to Apache and the www (or _www) user on your local system, as that's the user that's serving those files to the web; either read-accessable, or with read and execute access for scripts.
There are ways to extend access controls across a network environment, and the Apache web server has mechanisms for authentication users, using web passwords or digital certificates or such, or variously occasionally more advanced mechanisms.
Using virtual hosts means that the remote accessor has to use the host name of the target virtual host, which means it's less likely for a random remote user to access a random web site — they have to have an entry in their local hosts file or in their local DNS, or be running a very unusual web browser to access a non-default virtual host. It's decent security and will probably discourage most folks, but not impenetrable. Using a password or a certificate is another option, though that'll require editing an Apache configuration file for the web directory. Here's the Apache authentication how-to.
If your system isn't accessible from outside your local network, then you're only going to have issues with random access to your web server from within your network. If you wander around among networks as is common with a laptop, then you'll generally not want to have a running web server when you're off your network — web sharing or full-on Apache via OS X Server — as that provides folks with more things to explore, and more things to attack.
In general, I'd suggest acquiring a book on Apache web services, or spending some time with the documentation over at the Apache web site. Here's the old 10.6 server manual for web services — you likely don't have server and probably don't want to deal with OS X Server here in general, but it might be an interesting read. With 10.6.8 client, you won't have access to various of those tools, and you'll be editing configuration files directly to establish the access controls you're seeking.
I'd also suggest upgrading from OS X 10.6.8 (whether client or server), as support and security updates have apparently ended for that, and the integrated tools are getting older.