I'm boggled by this. Is there some reason why you can't turn on password protection in the webserver? I'm pretty sure they invented that for things like this. There isn't much in the way of gymnastics you can do to fix this.
My best suggestion would be that you let them select which file they want at the same time as they are offered the password login. Then, have the download script check that they have asked for a legitimate file AND that they have entered the password. If they don't give you any post/get data, redirect them to the front page and if they give you bad data show them an error. I think that is the best you are going to do.
$you = new YOU;
honk() if $you->love(perl)