Instead of referencing the flash file directly from the page you instead reference a server side script. That script validates that it has been accessed in a way where the flash file is allowed to be displayed and if it has it then sets up the appropriate headers to identify that it is a flash file and it then reads the content of the flash file into itself.
So your server side script basically contains three pieces of code.
1. validate that the file has been requested from somewhere that is allowed
2. set the headers to identify this file as containing flash and pass that to the browser.
3. copy the content of the flash file from above the root folder and pass it to the browser.