See the official online handbook for more information about securing private files. The information about private files starts at the "Managing file locations and access" header.
Download settings are configured in Administer > Site configuration > File system
There are two possible settings for download method: Public and Private.
Set to Public if you don't care if any user, even anonymous users, can download the files uploaded by other users.
Set to Private if you wish to restrict the ability of some users to download files uploaded by other users.
Please note that if you set your download method as private, you should set your "files" directory to be outside the document root for your Drupal installation (i.e. not in
http://example.com/sites/all/files). The private download method also has performance implications which you may want to consider.
If you change your settings at a later date, all download URLs will change, therefore it's best to plan ahead when you set your Drupal site up and think carefully about whether you'll need to restrict file downloads. If that's the case we strongly recommend setting the file download method to private when you first create your site to avoid broken links later on. If your download method is set as private, all users will still be able to download files until you set otherwise.