"Then create a .php page that is secured with file download server behaviors to download the files." Just looking for clarification, so you're suggesting something more advanced needs to be done than just securing that PHP page in general with SecurityAssist? If the file is outside the web root so no one can view the folder directly and the PHP page that directs them to that file is secure, I'm not following what additional would need to be done.