On Window OS, security are basically enforced through a Window account and ACL (there is no way around it). If your resource are programmable (such as ASP, ASP.NET) then you can include your own custom logic to enforce security. If your resource are non-programmable, then you can only rely on the Window security feature to protect your resource. For web application/portal, Microsoft Site Server would be the recommended solution.
Alternatively, you can assign an ID to each of your resource. When an authenticated user submit the ID to your application, then in your code, you can open the file and send out the content. This way, the user will never actually know the real path/name of your resource, but just only the ID. I found that this is a common solution in many portal application.
I have implemented such a similar security and you can test and download the source code at http://www22.brinkster.com/ttawin/registration/ . If somehow you can download the zip file without login, then please let me know. Thanks.