This depends on whether this is an internet or internal intranet application. If it is internal, and using windows authentication or active directory authentication, then you could protect the files using file based permissions.
If it is an external internet application, then you will have to develop some logic to protect your files. Let's assume that your Authentication is robust - you can accurately confirm that a user is who they say they are. What you need now is an Authorisation system - something that determines what an identified user can access.
Let's assume that you have an id for user 101. You could prepend 101_ to the start of filenames that only that user could access. 101_report.pdf fopr example. You would need to write some code to prevent serving out files prefixed with the wrong id. (you could remove the 101_ after you have done the Authorisation check if you don't want your users to see it, or you could store all of the user's files in a folder called 101).
If you want files accessible to multiple users, you will have to develop a way of linking a user to a file and of checking those links each time you display your page. You might want to consider Groups as well if you can logically group users into real world groups that will share a given set of files. But only do this if you are really going to need it as it adds a whole new level of complexity.
One common way to implement this is to store the files in a database as binary data. Don't worry about your database getting too big if you are using SQL Server. Binary fields are not stored in the data tables themselves so they don't affect performance. What this would allow you to do is very quickly look up what files the logged in user has access to using quick database joins. Then stream out the data in a response stream when the user requests a particular file (after another check of course - you can't be too careful).