Well as I understood, all downloads are handled by php script in this situation right? So each requests such as /product/1/123/2.html are redirected to some php script cia rewrite and that script send \download 1234\file12.zip to browser, is so, folder protection will not help. Please contact us in helpdesk, I need to check configuration.
I think the situation is same as you mentioned. Since there is also alternative extension available in the market, I'll consider using the other one first before thinking the method of solution for this one. I'm also afraid there will eventually be no solution for problem of this kind as according to your explanation!
This is not so. you can protect above php file using php_include method, or also, can modify htaccess file generetaed by new_rewrite ato handle above rewrited urls, exact solution depends on exact confguration.