In web applications I have worked on, we stream the PDF files to the browser. This way no one has direct access to the file's URL and since it is an ASPX page, we can apply whatever securtiy we want (ie. user must be logged in).
Here is sample code similar to what I used:
Dim strFilePath As String = "C:\www\pdf\abc.pdf"
Using fs As New System.IO.FileStream(strFilePath, System.IO.FileMode.Open)
Dim docStream(fs.Length) As Byte
fs.Read(docStream, 0, CInt(fs.Length))
Response.ClearContent()
Response.ContentType = "application/pdf"
Response.AddHeader("Content-Disposition", "inline; filename=" + System.IO.Path.GetFileName(strFilePath))
Response.AddHeader("Content-Length", fs.Length)
Response.BinaryWrite(docStream)
Response.End()
End Using