Probably the same way Wordpress creates/modifies a .htaccess file.
You simply need to create a script that will generate the correct file contents for a .htpass or a .htaccess file.
When a user purchases something, add a line to the .htpass file that contains the user/pass combination, and all them to a group (probably based on filename). Then, only allow that group to access that file.
Another way to do this would be through databases.
First, when the user makes a payment, have a few tables to store their data.
First Table: User/Password
This stores the email/password combination that must be used to gain access to the users files. Basically the table consists of
int Unq_ID | text Email_Addr | varchar(150) Password
That holds your user/pass combinations.
Second Table: Files
This table holds all of your files names, IDs and where they are created.
int Unq_ID | varchar(150) Name | text Directory
Third Table: Relationship
This last table holds the relationship between the User and the Password. Also very simple:
int Unq_ID | int User_ID | int Product_ID
Basically, if the person logs in with a valid Username/Password, you go grab relationship entries that match their User_ID, and join the files with on the Product ID. To verify they can download something, simply check that an entry exists that has the right User_ID and Product_ID.
To protect a file from being accessed, make an htaccess file like this
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^.+$ [NC]
RewriteRule .* - [F,L]
which deny from anyone accept PHP's fopen function. Then you just create a PHP script that grabs the contents, and presents it as a download.