You can secure folders via roles but, that only works within the context of DNN.  For instance if we had a folderd called Hilbert and in that folder was a zip file called Stuart.zip and I specified that only the Registrered users role could access the folder, then from within DNN only registered users could access the folder.

However, that doesn't prevent someone who isn't logged into DNN from browsing to the folder and accessing the file directly.

When you create a DNN Secure folder what DNN does is add ".resource" to the end of the file name.  This secures the file because IIS will not serve up files with .resource file type.

The third option you have is storing the file within the Database, but this also adds the .resource to the file.