Hello Salman and Pepi,
I have a solution for you guys. All you need to do is make a few changes in IIS and add a Web.config file to the File section.
Step 1: Assign security to the folder
Add a web.config to file to the folder in Files that you want to protect (~\Sitefinity3.1\WebSites\<YourProject>\Files\Protected\). Here's a sample Web.config files allowing the "Admin" role to access the folder. Note: Alternatively you can also do this through IIS.
<allow roles="Admin" />
<deny users="*" />
Step 2: Add application extension mapping
By default .NET DOES NOT PROTECT non asp.NET files (.pdf, , .htm, .doc, .ppt, .xls, etc), so you need to create a custom mapping in IIS. To do this open the web site or virtual directory properties in IIS and navigate to Home Directory | Configuration | Mappings | Add. Now you'll need to add the following mapping record for each file type (extension) you want to protect, in the example below its for a .pdf.
Note: In order to get the value for the executable section I just copied the value from the .aspx mapping.
All Verbs (selected)
Script Engine (checked)
Verify that file exists (checked)
Step 3: Add httpHandlers to your Web.config
Opening your web sites Web.config file and add the following httpHandlers for the file types you want protected (~\Sitefinity3.1\WebSites\<YourProject>\).
<add type="System.Web.StaticFileHandler" path="*.pdf" verb="*" validate="true" />
Now your files are protected!!! Anyone trying to access this files must pass through your authentication. Let me know if this works for your or if you need any help configuring this.
Hope this helps!