Yes, you should maintain the Document folder within the
"App_Data"
folder. This folder is a restricted folder and Asp.net runtime does not let user to access this folder via browser.
Besides, if you want to store your documents in some other folder (Not within the
"App_Data"
folder, you can restrict the folder access in IIS. See
http://support.microsoft.com/kb/313075[
^]
Another possible option is to store the uploaded documents into a folder that is outside of the web application's root folder. In that case, user will never be able to access that folder.