The rule is that anything you need to access by a URL cannot be places in WEB-INF, because WEB-INF and its contents are invisible as URL resources. So you can place Facelets include files under WEB-INF, since they're accessed as resources, but the top-level page resources have to be external to WEB-INF, since you use URLs to select them for
JSF processing.
There are several ways to make the raw resources off-limits. If you are using standard
J2EE container security, just write a security rule in WEB-INF/web.xml to block access to "*.xhtml". That will give a 403 FORBIDDEN. If you prefer a 404 NOT FOUND, you can write a small
servlet, map it to "*.xhtml" and have it return a 404 response code for anything sent to it.
A servlet filter can also do the job. The main disadvantage to the filter approach is that if you make a mistake, it can have an impact on other URL requests as well as URLs ending in ".xhtml".
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.