just place a .htaccess file in zp-core with

`

``

Order deny,allow

deny from all

`

[i]adapted from the wordpress security guide (blog).[/i]

Will this still allow setup.php to read this and possibly write to it?

reading is no problem (otherwise the zenphoto installation would be unaccessible immediately) and writing should work as well. "deny" protects against wget and alike but server files (like setup.php) will still have full access.