Put this in my edited post above, but will put it here also..
I name my download directory something non-guessable like
/asdf90qw3357e-0rsaa
And as I said, the way asp/vbscript works, my download.asp program 'grabs' the file from that directory, and serves it to the client browser without telling them the directory name where it came from. Directory path is not given to the client in any way (doesn't show up with raw http tools, property checks, and even programs like Getright or Flashget which try to resolve the real address).(this is on Win2000/2003 servers IIS 5/6).
Good point about the file sizes in the database. As long as it is cached in RAM there, it will save disk hits.
