Should I be thinking of using their web host - as I have experienced problems in the past with server timeouts, or am I better considering cloud storage (such as dropbox and their api )? 
If there are limitations with the server timeouts, i would think you would encounter those using the drop box API or using server uploads, the script that is going to time out is still running on their server.
You can reset the time limit on a script bases using:
php:
set_time_limit(0);
other file upload settings can be set using ini_set().
A second consideration is that their host does not allow files to be stored outside the root folder, so I may be compromising on file security.If I password protect a folder (using htaccess?) within the site root, can I automatically provide the password within my php page so the web user does not see the protection ?
the php download page wont be able to pass the login credentials for folder level htaccess security, You best bet would be to hide the files using a complex folder structure. Or perhaps this is the argument for using the drop box api.
