You did not explain how would you want to restrict the download, but most likely you would allow some downloads only for authenticated users. To learn about it, read this:
Based on authentication, not only you can control the download, you can even restrict rendering the page from which one could download a file. Now, what about downloading itself?
With download, the simplest form is as simple as this:
<a href="myFile.zip">Download myFile.zip</a>
This is something you cannot "restrict". So, to provide restrictions, you need to use more complicated approach.
You can have some control to post a request for the file, for example, a button on a button click. The server part should generate HTTP response with the file. Note, that you don't even need a file in the file system on the server's host. The file is generated on the fly anyway. The correct "downloading" behavior of the client is directed by appropriate HTTP headers, in this case, this is "content-disposition". This is shown in the code sample of the answer to this question:
Note, that this code sample also demonstrates some rudimentary restriction, by the requested file "extension". (See the string "File extension is not allowed" in the sample code.) Again, as this is your code, you impose the restrictions you want; this sample is enough for you to get the idea.