Stop document downloads from unauthorised users

I have an application where the admin user can create users and upload documents to the server for the created user to download.

When uploading a file it creates a folder using the userid as the folder name and saves in that folder within a folder called documents e.g. ~documents/77b29079-43d6-4520-bc34-77ae2af1b131/documentname.xls

The client then has to login and will see a list of available do开发者_运维知识库cuments for that user only. The only problem is that if someone was to get hold of one of the urls to a document is can be downloaded without having to login.

Is there something I can do to stop access to these files?? I have tried editing the web.config file to only allow access to certain roles but i could still download a document without logging in.

<location path="documents">
    <system.web>
        <authorization>
            <allow roles="Admin, Client"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

Thanks for your help. J.

The link provided by @rlb.usa in the comments has two good methods. Another alternative is storing the documents in a database and using application code or database security to determine who has access to what. That of course, comes with a different set of problems and advantages. If you are using SQL Server, this hits on some of the pros and cons.