Actually I solved the issue. I had an Wordpress site on root directory and another in /planuri directory. For some reason the .htaccess rules from the root directory were breaking the subfolder site rules.
I just moved the entire installation onto a new domain, in root folder, and now s2member is protecting the files properly.
About the upload directory situation: I defined the upload directory inside s2member-files folder in order to automatically protect all media files. And it works as intended since I need a members only website where I want to make sure nobody can load any media file if the url is known by some means.
The protection works without the ccap feature, simply all tree under s2member-files is protected. I am struggling now to find out how to unprotect a specific folder that I need unprotected, containing theme's dynamic css stuff...