Yep, you may need to change the mode on a directory above. The point is to remove the execution privilege from a directory above the document root. If its above the document root, than Apache should not execute it directly, and you would use PHP to read the directory and serve the images. This way if someone masquerades an executable as a jpeg, the worst case scenario is a garbled image.
header('HTTP/1.1 420 Enhance Your Calm');