private upload?

I've been having a terrible time trying to work out how to secure the folder or files I upload via FTP to: /sites/default/files/audio/

I have this type of code inside a certain node type, which can be accessed by everyone, but the media player only shows if user role is 'subscriber':

<?php 
global $user;
$media_title = 'audio test'; 	//title of media for display on page
$media_filename = 'test.mp3';
$role = "subscriber";

if (is_array($user->roles) && in_array($role, array_values($user->roles))) 
{ ?>
	<!-- AUDIO CODE BLOCK --> 
	<div class="audio_container">
		<h3>Title: <?php print $media_title; ?></h3>
		<?php 
			print swf('audio/articles/'. $media_filename);
		?>
	</div>
<?php 
}
else {
?>
<div class="audio_subscriber_msg">
	<p>
		The streaming audio cast on this page is for subscribers only <br/>
		For more information on becoming a subsciber click the button below
	</p>	
	<div class="button-green">
		<a href="<?php echo base_path(); ?>subscribe">Find out more</a>
	</div>
</div>
<?php } ?>

When this source code for this page is viewed in a browser, the path and file name is visible:

<param name="flashvars"  value="soundFile=http:%2F%2Flocalhost%2Fsites%2Fdefault%2Ffiles%2Faudio%2Farticles%2Ftest.mp3" /> 

someone who views the source code can then type the URL directly into the browser to gain access to that media file.

I've tried altering the files permissions to the folder (Linux server on both local and live systems), but what restricts direct access via the browser also prevents SWF tools playing the file too.

I've even tried changing the path to 'above the root folder' via a setting in settings.php as suggested by SWF tools:

$conf = array(
    'swftools_media_url' => '/var/www/subscribers-only', // No trailing slashes!
  );

Can anyone please advise?