Disable sftp-server

Hi all,

A friend of mine who has sftp access to my box brought it to my attention that my complete root tree was browsable via sftp. I immediately remove de subsystem line in my sshd config explained in this tut: http://www.cyberciti.biz/faq/rhel-centos-debian-unix-turnoff-sftp-server/

Since i don't have a lot users who are granted ssh access i didn't got into this problem further at that time, i figured i could solve it when i had a day off. But the next i got the same warning from him again, my complete tree was visible. While i don't really care he is able to view my tree, i was stunned to find out he was still able to sftp to my box.

I checked my sshd config again and found that the subsystem line still was commented out (ssh daemon had rebooted). So i took an win-xp machine and my debian laptop and started trying the following things:

debian box:
via root terminal i tried to sftp into my server: Authentication approved but connection denied cause there was no sub-system available, OK!.

xp box: got my self a ftp program (filezilla) and tried to sftp into my box: Authentication approved, connection established AND the tree was build! I was able to explore my own user folders as well as root folder with the 'world-read' flags.

for the moment i have renamed my sftp-server file to a different name so access through filezilla is also denied.

How is this possible? my sshd config has a clearly commented out subsystem, which is proved by the fact my debian box is not able to establish an connection. But why is an simple sftp indeed able to make a perfectly good connection?