Have the user enter the username/password in some textboxes, store that information in the session state, redirect to a page that is capable of serving up the zip file, then have that page check the session to ensure the proper username/password exists. The URL you redirect to would look something like this:
http://www.yoursite.com/getfile.aspx?filename=xx.zip
You could even have that page ask the user for their username/password in the event that they aren't found in the session state.