There is no way to get a list of all the URLs in a folder if you don’t want to.
Normally, if a folder doesn’t have a valid index file, then people will see a listing of all the files in a folder. But you can disable directory listing with .htaccess rules, or simply by uploading an index file to the folder (a blank file with the name index.html is enough).
No, that will result in asking for a password, which the vpanel may not know. I tried it once on my css files, and it asked for a password when i used an html file.