Nether the readfile nor the content-disposition will parse correctly. Single quoted strings are literal string's in PHP and all content within them are treated as literal strings.
header('Content-disposition: attachment; filename="' . $_GET['fname'] . '"');
Now, this is *extremely* insecure. Nothing stops the user from reading any file off of the machine that this user account has access to. So you'll want to replace any characters that are illegal within the filename, in particular, the / character. Then what you can do is you can resolve the path, take the dirname off of it, and compare it to where you want to serve from. This process can be kludged together:
$sRequestedPath = realpath($_GET['fname']);
if (dirname($sRequestedPath) == '/path/to/allowed/location')
// now you can process.