To have secure download you should use the download field plugin, because:
(a) checks access level of the user before it allows downloading, and
(b) does not reveal the location of the file (it can reveal the filename if you want)
(c) uses a folder that is protected from direct downlod access via .htaccess file
About (b) You could also do this (although it is not needed)
- change secure folder in Global config and then rename the folder via FTP
NOTE: if you use a custom folder to store download you should rename existing one as described above, if you create a new one make sure to copy .htaccesss from the original folder