Posted for my own reference, see here for instructions on how to limit the downloads of files to logged in users.
# These next two lines will already exist in your .htaccess file
RewriteEngine On
RewriteBase /
# Add these lines right after the preceding two
RewriteCond %{REQUEST_FILENAME} ^.*(gif|jpe?g|png|doc|docx|pdf|xls|xlsx|mp3|m4a)$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . – [R=403,L]
I also use the Media File Manager plugin for separating my secure_files uploads into a separate folder.