You could use the Shared File feature in mojoPortal. Put it on a page protected by the "Authenticated Users" role and then only authenticated users will be able to view the page or download files you share.
The problem with links to various fies in the file system is that unless .NET is configured to serve all file types, IIS is going to serve those files and the request is not handled by .NET code so there is no opportunity to enforce any rules.
What the Shared Files feature does, is actually store files on disk with a .config extension which is by default a .NET extension that is protected so .config files will not be served by an http request for the file. If the user has view permission then the Shared Files feature will Response.WriteFile the file changing it back to its original name in the process. So even if someone knew the url to the file they could not retrieve it without permissions.
Hope it helps,