The security example only implements model security, not page security so while you can directly access protected.seam you will not be able to execute the protected action. That being said, I'll shortly be reworking the security API to make it much more complete than the state it's in right now.
Yes, model security works fine.
Are there any options for page security now?
Not yet, but there are plans for it. This part of the security API will be implemented with a servlet filter.