I'm new to Icefaces and Facelets both, but I'm using them on a new project. I've got everything working configured and working fine. However, when I visit mywebapp/file.xhtml, the entire facelets template source comes up in my browser. How could I hide this to prevent users from viewing my server-side templates?

Put all templates into WEB-INF/someDirectory/templates.

Then according to the facelets documentation put this inside your web.xml for all other xhtml files:

<security-constraint>
    <display-name>Restrict XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Only Let 'developer's access XHTML pages</description>
        <role-name>someone</role-name>
    </auth-constraint>
</security-constraint>

In the web.xml should be an entry which let you configure the behaviour of xhtml templates (show/hide..)

If you move the .jsp files to the WEB-INF folder (you have to reconfigure the jsp path for JSF), you can't access them by URL. Every J2EE-Server/Webcontainer I know act this way.

Another way is an self written servlet filter etc.

But, why do you want to hide your templates?