lappert2001 - 8:17 pm on Feb 11, 2012 (gmt 0)
I appreciate your help, but the fix didn't completely work for me. Here's what I did. I temporarily renamed the file /home/.htaccess which contains the code I listed above, and which results in the 500 error.
So now the entire directory is visible again with all the /home/domain-user/public_html directories.
Then I went to /etc/apache2/sites-enabled and deleted the symlink to 000-default (but still leaves the default vhost file in the sites-available directory). I don't know if 000-default serves any other purpose in sites-enabled. (of course it provides boiler plate code, but that doesn't mean it needs to be enabled).
So now I have no /home/.htaccess file and no 000-default that is enabled.
I go back and check again, and the directory is still visible. Ouch!
But then I realize, I hadn't restarted Apache. So I do a /etc/init.d/apache2 restart. That goes OK.
I check the browser again. Now here's where it gets interesting. Apparently the default behavior has not been stopped, but the browser shows the next-in-line alpha domain. In this case the next domain in line starts with "b" - so what is displayed when the IP number is called is domain b-example.com. If I remove that, then c-example.com would be displayed and so on.
I suppose I could live with the b-example.com being displayed, and it does close the security hole. But I would prefer a better solution.