Ans: By simply changing the require directive in the .htaccess file of confidential director to include only user staff, we observe with ceo account we can still the access to https://chowvip.csnet.uccs.edu/confidential/secret/topsecret. It shows the access to a directory is overwritten by the .htaccess file and not depending on those .htaccess files directly above. Therefore the apache .htaccess access control does not follow the Unix file access model. Note that if a subdirectory exists under topsecret but contains no .htaccess, then its access is governed by that of .htaccess in topsecret.
See
http://httpd.apache.org/docs/current/howto/htaccess.html#how. "The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. However, it is important to also remember that there may have been .htaccess files in directories higher up. Directives are applied in the order that they are found. Therefore, a .htaccess file in a particular directory may override directives found in .htaccess files found higher up in the directory tree. And those, in turn, may have overridden directives found yet higher up, or in the main server configuration file itself. " The sub directory under http://chowvip.csnet.uccs.edu/confidential/secret/topsecret/ does not contain .htaccess. Its access is governed only by that of topsecret.