Place the files in a folder above your public root folder and control access through PHP or whatever script you are using or deny access to a file directory below your public folder and use PHP to read the file from there (less secure). Or, you can store the files as binary data in a database and control access that way.
I do not have much knowledge in that area and, in fact, I am hopeful others will chime in about file access control so I can learn a thing or two. Such as: if you control file access through PHP with the files stored above public_html, which PHP function(s) do you use to transmit the file to the browser, which headers should you use, and once the file transmission has begun, does the PHP script end with no max_execution_time issues with the server taking over? I am basically looking for how one would protect files for a membership site.
So if anyone has any information to share or links to info, I would be glad to see it because this is one gap I would like to fill.