My situation is that when an unauthorized user types in the album link the form with the username and password appears (which is good) but when he goes to the link of the full size image, it's displayed while it shouldn't because he's supposed not to have access to it.

The albums are unpublished and the images are unpublished as well. They're meant to be visible by the owner of the album and the administrator only.

Can anyone help me here?

Thanks in advance

If you mean a direct link to the full image file itself that is out of control of Zenphoto because it is not involved. Zenphoot can only protect what runs through it as a script. A direct link does not.

You have to protect the folder itself using a .htaccess file and/or folder permissions. We have a demo htaccess file on the extensions section and on the user guide articles about hot linking which is more or less this.

Zenphoto access to full images has its own password control set on the option/images tab. If he is typing the direct link to the albums folder then, as acrylian has said, Zenphoto is not involved.