I always feel reluctant to call something "the best".
One approach could be: you change the permission to role mapping for this file (-->
.../manage_access) removing the "View" permission from those roles you want to prevent from downloading (this should prevent view and download) (be careful, workflow may control this permission and undo your manual changes; usually "File" has no workflow - but otherwise, surprises are possible). Of course, you now must provide special means to views presenting this file (as by default, they no longer can view it). For this, you can use so called "proxy roles". They are assignable via the ZMI to page templates and can be defined in "*.metadata" files for "FSPageTemplate" objects. To set proxy roles in Python code, you can use
dm.zopepatches.security (to be found on PyPI) -- more precisely, the functions defined in its