Hi @Dragomir,
The safest thing to do is move your files_dir outside your web root. That way you won’t need to worry about .htaccess protection at all.
The directives you set above will still permit submission files to be downloaded without access being checked, if the remote user is able to guess the filename.
Regards,
Alec Smecher
Public Knowledge Project Team