As i already posted in your other topic about the same question, just follow this topic:
It explains how to secure your files from being accessed by entering the direct link. As explained in this topic:
You can disable directory listing and accessing the files via direct link using .htaccess so it will never be possible to access a file using its link even for logged in users. You then allow access to the files from your web server only.
Then you can create a server action which downloads the file(s) and protect it using security restrict, so only logged users can run it. Run in on button click.
So - use the htaccess rules provided there and use the serverside download action to get the files ... no other way to access them will work.