I would only bother about securing the Administrator, that
is, the directory CFIDE/Administrator/. The other directories, like
CFIDE/Classes/, CFIDE/adminapi/, CFIDE/Scripts/,etc., are needed by
Coldfusion to enable it to implement Java and Javascript when
processing requests. Securing them will obstruct Coldfusion.
You should have realized, of course, that AJAX, like any of
Coldfusion's other Javascript modules, runs on the client. There is
therefore no point preventing the client's access to, for example,
CFIDE/Scripts/.