Tested on my server Debian lenny, ISPConfig 3.0.1 and I get a access forbidden (403).
ISPconfig adds rules to protect these directories from being accessed directly for every site created in ispconfig. for example:
Deny from all
If this is not added in your configuration then you do not use ISPConfig 3.0.1 or you have modified the vhost templates.
If you want to protect also directories not created or maintained by ispconfig, simply disable the debian default vhost.