You can use the "set session value" server behavior to save the value from the submitted password field into a session variable.
Then you can create a rule with security assist rules manager that checks the value of the session variable you created to make sure it matches the expected password.
From that point the Show If server behavior and Restrict Access to page server behavior can be used to conditionally show a download button or restrict access to specific pages based on the rule you created in step 2.