Since no referer is sent when accessing favicon.ico, RewriteCond/RewriteRule cannot be used to block such visitors.

Not sure what you mean?

# If the referrer is - or empty, forbid favicon access:
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule ^favicon\.ico$ - [F]

FWIW,
Don't know about anybody else, however my favicon is nearly half-the-file-size of my custom-403-page.

Unless the file is being retrieved hundreds of thousands of times daily, it's really not an issue.

# If the referrer is - or empty, forbid favicon access:

That would also block access to legitimate humans, since a referer is almost never sent with favicon requests.

Matter of fact I took the opposite tack: the favicon (and apple-touch-icon equivalents) are available to almost everyone, because it provides another way to check for inadvertently locked-out humans.

The now-defunct Google Desktop thingie would ask for the favicon periodically. You still see it in logs.

There's also a Firefox add-on called the Favicon Reloader that periodically re-requests the favicon for sites that you've got bookmarked. Unfortunately there's no easy way to tell which specific page they bookmarked, since the request by its nature comes some time after the user's original visit. But, hey, if people are bookmarking me, let them keep a favicon next to the bookmark. It may make them visit more often. (This is my unofficial, personal opinion. When I look at my own bookmarks menu, the ones with favicons stand out.) The IP and UA both belong to the user, with no distinguishing feature except that it will be a recent version of Firefox.

it's really not an issue

This is not something wilderness says every day ;)

But seriously, locking someone out can often come down to emotional gratification. There are not many nefarious things that can be done with a favicon.

Interesting -- Haven't ever checked on the referrer for one before, because it really makes no difference to me who, what or how favicons are requested [I have way better things to be doing than worrying about favicon requests most of the time -- have a bit of free time today ;) lol], especially since it's by far the smallest file on any site I have, so if someone/some-bot wants it for some reason then, whatever.

I'm also not sure what harm they can do with it? It certainly won't match their site since mine are all customized to match the site they're on.

Thanks for the comments, everybody!
Yes, it's never been an issue - it's just a matter of curiosity. :-)

Specifically, the question is whether there is any way to control access to a certain file via .htaccess in a situation where the usual RewriteCond/RewriteRule approach does not work. More specifically, if we can't or don't want to control access based on such parameters as REMOTE_ADDRESS, REMOTE_HOST, HTTP_USER_AGENT, or HTTP_REFERER, is there another way to filter access based on something else... like, for example, an environment variable that depends on an access counter?

Thanks again!

It depends how deep you're prepared to go. mod_rewrite can also read any header, as can mod_setenvif.

:: shuffling papers ::

In a RewriteCond: %{HTTP:header} where "header" is the exact name of the header.

In mod_setenvif it's simply the name of any header-- most often of course User-Agent, but anything can be used.

In each case you can either check whether the header is present at all (for example RegEx . meaning any content) or look for specific text.

If you want to really dig in, there are scripting options. But that goes a little beyond Apache. Since each request is an island, Apache by itself can't consider what earlier requests have come in-- for example, was there a page request from the same IP within the past two seconds?

Edit: Come to think of it, I have no idea what the request header for a favicon looks like. I only log page requests.

Since each request is an island, Apache by itself can't consider what earlier requests have come in-- for example, was there a page request from the same IP within the past two seconds?

That answers my question conclusively... :)