But it will only work if mod_setenvif executes before mod_rewrite. On shared hosting, you can never be sure about these things. (It probably does-- I experimented once on my own site-- but it's not iron clad.) If instead you say
Deny from env=dont_allow
you can be absolutely that that sucker isn't getting in.
You can save yourself a little bit of typing, and save the server a few bytes, by using the shortcut BrowserMatch.