The secret URL parameter only protects the administrator login page. It doesn't protect the files inside the adminsitrator directory. In order to require a username and password every time anyone requests a file from the administrator directory please use the administrator password protection feature of Admin Tools.
Regarding the second remark, it's all about the server setup. Some servers redirect access to a directory to the index.php page with an internal redirect, others with an external redirect. In the former case you have administrator/?key in the latter you get adminsitrator/index.php?key.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!