[eluser]BrianDHall[/eluser]
I'm doing something very similar with a real estate site. I'm handling this by storing the images in a database in two tables - one with the data for the image itself, and one for the image information and associated listing/client. Then I have a function that takes an argument and returns the requested image - at this point it's a simple matter to control who can see what image as all your session information is available.
I think this is the easiest way to handle it. It took a day or so to get it all working, and another day or so to get a flash-based multiple file AJAX uploader I found online working, but once you get it going it's very easy to handle management, deletion, authentication, etc. I further use ORM (Datamapper Overzeal Extention) to ease relation management, so I can get images by client, by listing/property, neighborhood, etc.
I like the way it works, so I'd recommend it for your use too.