You do realize that you can access the videos directly (bypassing the PHP scripts):
http://www.yoursite.com/protected/secret/video1.wmv
etc.
And you do realize that all the redirections will reveal the "secret" directory, right?
It would take someone reasonably technical about 7 seconds to figure this all out, and then they would hot link directly to the "secret" videos and you'd continue on thinking you're "protected". (sigh)
One suggestion - you could serve up the thumbs/videos through the PHP script, but that's got its own problems.
You need to look into a token system that's built into Apache -- *not* PHP, which only protects HTML/PHP files, does not protect content. Note: this does not require any special software to do.
(hint: mod_rewrite and cookies)