It's true, Java/J2EE webapps have a portable, standard means to limit access to resources (among other useful features); that said, in a non-J2EE webapp you can still prevent people from directly accessing view pages:
1/ use .htaccess to disable bare directory listings. It's tougher for people to access a resource if they don't know what it is.
2/ put a different extension on your view pages (e.g. ".phpv") and use .htaccess to deny access to them. The controller can still access those files because PHP's include() bypasses the Apache request cycle.