what I want to do is have my client be able to upload files to a secure place.
Then users will log in with username and password and view just their files. (see a list and click to view)

What is the best way to do this?

There are many tutorials available for member areas
http://www.aspin.com/home/tutorial/usermanage/login

but how do I make the files secure that others can't try to guess teh link and go to it. Also do I need ssl.
Each user will have their own secure files.

if you are running the server yourself you can assign nt permissions or install iispassword to get an apache-like htaccess system going. otherwise i believe you may be able to use a .hta file or something like that but i'm not sure (haven't seen one used for a few years so i dont remember if thats even the correct file extention) that may be IE only or something.

I used to have a system up where a page was used with username and password to get a really long random-looking directory name and its contents etc, the user never saw the directory. directory names were randomly generated and stored although a hash could be used. an example of such a directory was something along the lines of /4im2o3idoj238tu498289ejd9834985jgfmcmcvgnoi34oi3mdsl3/ but you could just use a directory above the virtual root and an asp file to access it (for example if you are just in root you could put something in C:\inetpub\userfiles\dave\ or anywhere else on the hard drive if you have permissions there. this probably requires server access.

that sounds like what i need but if I have file say 1.pdf stored above the web root -- how do I let the user download this file? (obviously after I check that his username and password is correct)

read the file with the file system object using parent paths (it needs permissions to read the file and use parent paths (..\downloads\1.pdf or C:\inetpub\downloads\1.pdf or wherever it is as long as it has permissions) etc) and get it to binary write it to the output stream.

google for asp download script or something to check this (maybe w3schools has something on Response.OutputStream and Response.BinaryWrite i don't know.) You may also have to set the Response.ContentType but i think modern browsers can handle it with no type (it probably just defaults to application/octet-stream if you use binarywrite im not sure)

I have a download script somewhere but dont remember it off the top of my head (its not big though)

This is how you can do things like ensure people are logged in before downloading or whatever like that by the way. However don't try it with files that are too big as i think there is a 40mb limit or something like that but im not 100% sure as i have never run into the limit just been told about it. there are ways of getting around it by sending some then flushing the buffer or something like that but im not sure

can I use the file system object to read pdf's and word file as well?

any need to use ssl for a situation like this. The documents are personal information.

secure sockets layers is used to stop people intercepting signals between server and client. It is unlikely that anyone would do this but you could if you want i suppose (i'm not sure how though) alternatively you could simply encrypt the pdf and word files and any other files you wish to send with winrar's password protection on the server machine (or before they are uploaded or whatever i dont know) if you are worried about specific files.

just remembered we had a thread about this a while ago:

http://www.codingforums.com/showthread.php?t=70889