I would ignore the suggestion about using a completely different server for security reasons; if someone can hack one of your servers, they can hack the other one too, and you would have bigger problems than them stealing your files if that happened...
I would probably store the files outside of the web root, so that they're not even accessible directly over the web; then have a script that when accessed, validates that the person is logged in, and then transfers the file to them.
So your server side script (ie php/dotnet)
- checks they're a valid user (ie by the standard user-is-logged-in check that you're doing else where on the site - checking the session or whatever)
- sets the correct headers for the file type, eg Content-Type: application/octet-stream
- reads the file from wherever it is on the server
- outputs it to the user's browser
1b. if they're not a valid user, the connection is ended and they don't get the secure file.
this means that they only get the file if they're a valid, logged in user.