Having a directory outside the webroot is a good idea.
Also, you are correct, if you freely give out the hard-to-guess directory name with other downloads, then you are not hiding anything. This would seem obvious. In the download area I setup, I don't do this. I always download only via the download.asp script, so the directory name is never given to the client. Then only see
http://...../download.asp?newsletter.pdf and not the resolved true location of the file. IIS5/6 serves the file to the client and never shows them a resolved url. This is a solid type of anti-leech script.
