See the official online handbook for more information about securing private files. The information about private files starts at the "Managing file locations and access" header.
If you set "public" as the download method, you can still protect some of your folders by settings in your .htaccess file, if you have mod_rewrite enabled.
For instance, if your files live in sites/default/files, and you want to protect everything in sites/default/files/protected_download_dir, then you can add the following line to your central .htaccess file:
RewriteRule ^sites\/default\/files\/(protected_download_dir\/.*)$ index.php?q=system/files/$1 [L,QSA]
The files in this folder (or, all files that match the regular expression) will not be served directly by apache, but by a full drupal request using the file_download() callback. The routing for system/files is defined in system_menu().
It is recommended to force the browser to download the file instead of displaying the file. If you for instance offer a protected .jpg for download, the browser will try to open it in the browser which will result in a 404 (which means access denied in this case).