The files and directories are already protected by the system and Apache. Nobody from outside word can access them, unless you write code intended to work around this protection. The rest of the question is to broad and vague for a Quick Answer.
You provide a read-only access to all files under the root directory set up for some Web site. It's not possible to access any other file system object, because all the Web applications are executed in the
sandboxed environment which only allows access to the file which belong to the site.
You can hide all the files in each directory except those explicitly referenced via HTML anchor elements or accessible via your code. This done by not allowing
directory listings for all the directories of the site or some specific directories, which can be done via .htaccess. Please see:
https://wiki.apache.org/httpd/DirectoryListings.
See also:
http://httpd.apache.org/docs/2.2/howto/htaccess.html,
https://wiki.apache.org/httpd/Htaccess.
You can allow the user to download any files, which can be done, in a simplest form, via the form element and input element with the
file
type.
Using PHP or any other server-side technology, you can handle any HTTP request and create HTTP dynamic response on the fly. For general understanding of it, please see:
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol,
http://en.wikipedia.org/wiki/Server-side_scripting.
And so on…
—SA