what strategies helmet off web resources formed business logic

i have unfolding where i'm unequivocally certain proceed best one, i conclude feedback / suggestions.

scenario:
i have garland peep formed (swf) 'modules' hosted aspnet application. any peep it's possess office filesystem, contains resources flash. cruise simplified site structure:

/webapp/index.aspx

/webapp/flash/flash1/flash.swf

/webapp/flash/flash1/someimage.jpg

/webapp/flash/flash1/someclip.mp3

/webapp/flash/flash2/flash.swf

/webapp/flash/flash2/someimage.jpg

/webapp/flash/flash2/someclip.mp3

etcetera

where controlling party /webapp/flash/flash[id]/

i wish exercise confidence apparatus checks presumably user should certified access* files subfolder '[id]' it's contents.

**insert business explanation formed information stored sql database here*

i deliberation minute httpmodule does something like

processrequest(){
    if(request.rawurl.contains("/webapp/flash") && !userhasvalidlicenseformodule(1)){
        redirect("login.aspx");    
    }
}

but there's obstacle httpmodule wholly works record progression mapped aspnet (in iis6). means i have map illusory extensions slight (.mp3, .jpg etc) something i rather avoid.

i also deliberation httphandler instead, nonetheless peep record needs means couple it's resources controlling family urls. (so proxy-like settlement /webapp/getprotectedstuff.ashx?file=flash1234/flash.swf prefered)

perhaps it's wiser store peep files resources outmost web bottom completely. maybe there strategies i havent guess of.

use aspnet confidence tradition membership provider?

any thoughts?