directory security in IIS5

I am running WIN2K server with IIS5 as my public web server. The bulk of the site allows anonymous access. Their is a members site that requires password protection via an ASP script that validates against an access database. This allows me to protect pages without using the ACL (not to mention purchasing internet access licenses). It allows self registration eliminating much of my administratove overhead. I am adding a download page, but if anyone knows the full path name and naming scheme, they can go directly to the file without first going through the login page My question: how can i secure the directory as well without adding users to the ACL?