The PHP files in the wp-includes directory will do nothing when accessed directly. They are designed to be include()‘d in an existing PHP script, such as on the front-end or in the dashboard.
Your Options -Indexes entry in the .htaccess file simply prevents a list of the files in a directory when no index.php is present. It’s good practice to use this on a live server. I’m not entirely sure what the second line does; you should most likely remove it.
If you’re especially concerned about people attacking your server, you can prevent access to the wp-includes directory completely. To do this, create a .htaccess file inside the wp-includes folder with the following content:
Deny from all