If there are limitations with the server timeouts, i would think you would encounter those using the drop box API or using server uploads, the script that is going to time out is still running on their server.
You can reset the time limit on a script bases using:
other file upload settings can be set using ini_set().
If I password protect a folder (using htaccess?) within the site root, can I automatically provide the password within my php page so the web user does not see the protection ?
the php download page wont be able to pass the login credentials for folder level htaccess security, You best bet would be to hide the files using a complex folder structure. Or perhaps this is the argument for using the drop box api.