securing a directory in iis5 without usi

I am running WIN2K server with IIS5 as my public web server. The bulk of the site allows anonymous access. Their is a members site that requires password protection via an ASP script that validates against an access or sql database. This allows me to protect pages without using the ACL (not to mention purchasing internet access licenses). It allows self registration eliminating much of my administrative overhead. I am adding a download page, but if anyone knows the full path name and naming scheme to the file, they can go directly to the file without first going through the login page. My question: how can i secure the directory as well without adding users to the ACL?