I have seen something similar before. For me, it turned out that Firefox 3 employs a new caching system which caches FLV video. If you watch the video on your site, the video (along with referrer information) gets cached locally on the computer. Accessing another video (local or remote) bypasses the block because it uses the cached information. The best way to test this out to see if we have a real issue is to setup a video hotlinked from one of your protected sites and then, clear out your Firefox cache, restart Firefox, and try watching the video.