When creating Web applications with an Access database, developers often save the Access database to a Web accessible folder. That is, they may save the actual .mdb file as: C:\INetPub\wwwroot\MyDB.mdb. The downside to this approach is that anyone who knows (or can guess) the URL to the .mdb file can download the Access database and examine all of your information.
To answer this question of how to protect your Access database's .mdb file, we turn to an ASPMessageboard.com post from Chris:
*** BEGIN QUOTE *** The way to do it is to put your database in a location that is only accessible on the server-side, not client-side. The key to this is putting it in a directory that is higher than the wwwroot. If you're running your own server (eg, IIS) do it like this: [my website] --[html] --[private]
Put the content of your website (eg, images, .htm pages, .asp pages) in the [html] directory, and make this the wwwroot. Put things you want hidden from the client in the [private] directory. When you need to access things in the [private] directory (eg, your database) you can directly reference the path on the server, or work it out.