"Directory Browsing disabled" - is it enough to protect the files?

I have an ASP application, it's an Online Certification Program.
In IIS I have a folder "Assignments_Submissions"
where I store the files in my ASP Application.
I store files in SQL Server but before I do that
I need to save it on a hard-drive and
to see if AntiVirus catches anything.
I cleanup them later manually.

One student who submitted the file
last year found the exact document
on www.essaycrawler.com

The student is completely sure that he never
emailed the file or stored it anywhere on the Web.
The file was always on the student's hard-drive.
It is his personal computer, nobody has access to it.

My question is - is it enough to
have "Directory Browsing" disabled to protect the files.
Or maybe there are some smart crawlers that
can get through?

RobO
Now we have to test the security
and investigate this case

Disabling directory browsing only stops browsers from listing a directory contents. Being off won't stop any client from directly accessing a file if they know the exact url, crawler or otherwise.

I'd say keep your documents in the db, or in a folder that doesn't allow anonymous web surfing.