there is not another way to protect the files.
any other strategy is not protection, it is just hiding them.
sure, you could create a complex directory structure and have the files 10, 15 levels deep, but that is not 100% protection. it will certainly make it difficult to guess the directory structure, but it wont be impossible. you are really just hiding the needle in a hay stack. The Myth Busters proved that the needle can still be found.
I'm not saying that you cant do it that way, I'm just making the distinction between hiding the files and truly protecting them.
hiding them like you are suggesting is certainly viable, but don't make the mistake of thinking that they are truly protected form unauthorized download.
the only way to truly protect the files from unauthorized download is to store them outside the site root.