no i understand that... but there are apps out there that monitor URL navigations... so even if i dont expose it.. there are still ways to see where exactly they are being redirected to.

We sell software that is expensive, and I can not leave security holes in a web app that even if only by guess work can expose direct links to the applications. Ill get fired

and with the help of a few tools, it would turn guess work into simple one time operation for someone to get the link.

bottom line is when you navigate to a file, even from a response.redirect or any other method of hiding the actual URL from the user, they technically still connect to the url to download it... streaming seems to be the only fool proof way to get around this problem.