outside of using htaccess to secure the directory and loging in twice, the only option is to store the files outside the site root and use security assist download.
you wont be able to do this with CMS.
create a table to hold the file names
create insert/update admin pages using data Bridge bridge to upload the files to the directory outside of the site root, and save the file name to a database.
create a page for download, add a recordset to lookup the file names in the table. add a form with a submit button and a hidden elemeent in it.
bind the hidden element to the file name column from the recordset.
add a repeat region around the form
in the download file behavior, bind the file name setting to the hidden field.