@felgallApr 30.2009 — #What you do is use a servelet script that reads the file from outside the public part of your site and delivers it to them. You just need to send the right headers on the front to identify the appropriate file type as well as whatever additional processing that you want to use to do the access restriction.
@MindzaiApr 30.2009 — #Your question has been answered twice already! Store it outside the DocumentRoot, then use a script to authorise a user and serve the file to them, making sure to set the headers as necessary.
@felgallMay 01.2009 — #Some shared hosting doesn't allow you to store things outside of te public part of your web site. If that is the case then create a password protected folder with a hard to guess name and place the files in tere. The servlet script will be able to read them from there without the password but your visitors will not even know the name of the folder and will not know the password even if they do guess the folder name.