@sitestreet
You can disable directory listing and accessing the files via direct link using .htaccess so it will never be possible to access a file using its link even for logged in users. You then allow access to the files from your web server only.
Then you can create a server action which dowloads the file(s) and protect it using security restrict, so only logged users can run it. Run in on button click.