How does one go about securing individual subdirectories that contain non-asp.net filetypes when using Forms Authentication?

I have a subdirectory that contains certain files that I only want logged-in users to see. Since they are non-asp.net files (zip, pdf, etc), an anonymous user can access a file as long as they know the direct link. All of the articles I have read (like this one (and countless others) go over using the aspnet.isapi.dll filter and specifying the file extension that you wish to protect. The problem is that this is application level, not directory-level. By using this method, if I add the .PDF extension, then ALL of the .PDF files on the site would then require a login, not just the PDF files in the "secure" location.

I guess what I am getting at is what is the best practice scenario at handling this when using Forms Authentication?