Here is the undocumented feature (it will be a settable option in Notes 4.5) which will prevent Web clients from seeing a list of all the databases on a Notes/Domino server.
Note: If they can guess the directory and filename of a particular database, they can still get to the database. Remember to use ACLs or dirlinks to really prevent access to non-public databases.
On the HTTP settings subform (used in the Server\Server form in the NAB), add this field: "HTTP_DatabaseBrowsing"
Make it a keyword text field, editable.
For the keywords, specify "Allow|1" and "Not Allow|0".
Open the server document for the Domino server, set the field to the appropriate value, and save the doc.
Shut down and restart the HTTP/Domino task to get Domino to recognize the new setting.