Keep in mind that users who use security suites or right click and choose save as will in most cases error out since their browser will send a blank referrer.
To allow these users you use the line:
RewriteCond %{HTTP_REFERER} !^$
The only way to actually allow them is to allow blank referrers but that'll leave your info open to people who just choose save as from remote locations
...