Thank you Jose, that's great.
I was just looking to cloak the urls of the downloads. However I notice that this website and one other that has some downloadables on it are the only sites that had rogue articles inserted into the root (that is, until the tables were locked in Security Check Pro). I did wonder whether there might be some way the downloadable links provided access to the root; would this be possible?
The best way to do that is using the Joomla core ACL. You can do it yourself creating groups to control what can be downloaded for each group or use any of the extensions avaialbla at JED to control your downloads. For instance,