yes thats bascially it.
here is an example
/downloads/hello.zip (which accessed directly is denied)
the token version would be
/downloads/aa1469dd64687462ee30378e14d34105/55918ae6/hello.zip
the token is md5 hash of the secret string + filename + time in hex
final url is path + token + hextime + filename
Would probably be easy to edit a plugin like imgbed, instead of images, for zip files, and instead of linking to to markdown img format, generate the token and spit that out.