Hi there. Thanks for the excellent question.
Yes, that is the intended behavior; because s2Member is a "plugin" for WordPress®. Therefore, it is ONLY applicable to content that you create inside WordPress®. In other words, files that exist outside of WordPress® will remain unaffected by your s2Member configuration, because s2Member is not being loaded up during the HTTP request in those cases.
All of that being said. There is a work-around. Here is a clip from the Changelog where a new feature was added to provide a way for site owners to use s2Member to protect files that are not even a part of WordPress®.
Since s2Member v3.1.5
New feature. It is now possible to protect files that are NOT even a part of WordPress®. You can accomplish this by placing any set of files or folders inside the `/plugins/s2member-files/` directory. Then, you can configure Inline Extensions under, `s2Member -> Download Options -> Inline Extensions`. Using this technique, you can now protect ANY file, using Download Keys and Inline Extensions. For full details, see: `s2Member -> Download Options`. Note, don't be fooled by the word "Download", this feature is much more powerful than it seems at first glance. If you get confused, please write in on the forums for assistance from the community.
Related thread: viewtopic.php?f=4&t=287&p=1263&hilit=protecting+files#p1242Statistics: Posted by Jason Caldwell — October 22nd, 2010, 9:35 pm
]]>