What is considered best practice to generate a URL that is publicly accessible, but shared via a side channel, so that it is in practice private to the group sharing it?
Something like:
http://example.com/club/XX-XX-XX-XX
http://example.com/club/YY-YY-YY-YY
Where XX-XX-XX-XX shared among one group, and YY-YY-YY-YY is shared by another group. If you have one valid code, it should not be easy to guess other valid codes.
No other security is required for the URL.
GUIDs are always a good choice for unique IDs and are very easy to generate (but look ugly)
I would recommend generating a UUID. You can use Java's java.util.UUID and URLEncode/Decode its textual representation if your back-end is in Java. I'm sure there's an equivalent in .NET if you're using ASP.NET.
To generate path part of URL use some form of hash (SHA1 will do). Of course randomized.
chmod the directory where files reside to 711 (rwx--x--x)
A random sequence of alphanumeric characters would do the job. Characters choosen among 26 lower case letters, 26 upper case letters and 10 numbers repeated a dozen of times should largely be enough for your need.
You're in a trade off between complexity and readability (or even memorability). GUID offers a 'unique' code that as has been mentioned is easy to generate however readability and memorability are low. Random character strings arbitrarily split might also offer a solution. Lastly, english words randomly chosen would be easier to memorise and communicate and would probably still offer the same level of isolation and protection.
After all, unless your users a particularly diligent and disable address history and browser history then the URL will be there for all to see who subsequently visit the machine.