You could create a custom document type for your Hi-Res photos. Store them in the document tree and assign permissions to them.

Maybe even create a template for this new document type that does a 301 redirect to the attachment and set that as the default template for the document type (you may need to do something so it doesn't redirect when in editing or design mode.)

Then you can set permissions on it like any other document.

This is theory. I've never tried this before.

Another (possibly easier) way to do this would be to create a custom ashx handler that you use for the links to the hi-res photos. You can pass the handler a querystring to identify the actual hi-res image file. In the handler you can check for whatever permissions you want and send them to an access-denied page if they fail authentication or serve up the image if they pass.

If I were going to do this, I would create a Hi-Res image role to had the users to (unless your client has more specific needs) and assign the appropriate users to that role.

If you go the custom document type route, take a look at the "file" document type. You will find that it has custom pages for "New" and "Editing" .

You could probably inherit from cms.File and use the same custom pages, but since your custom document type won't actually be a cms.File type, the CMS shouldn't treat it like one by sending all requests of the document to the file attachment. You can then create the custom page template like I mentioned earlier that will redirect to the file attachment after permissions for the document have been checked.

P.S.
About the password without a user name. This could get a little bit tricky and it would be easier if you went the custom ashx handler route. Create a custom login web part that only has the password field. You can hard-code the default username or make it a web part setting field. When calling the authentication method, pass in that user name and the typed in password. Make it so the handler redirects to a page with this particular login web part when a user fails authentication when trying to access the files.

If I were you, I would highly recommend to the client that they need to send out both a username and password in their newsletter. That would make it much easier on you and would also allow them to use more of the built-in permission features of the CMS.

Ivana is right that it would not be very secure. You would have to be very careful with the permissions that you assign to the user account that they distribute in the newsletter.

It would be much better if the newsletter had a link to a registration page with a registration control that is configured to assign new registrants to a role that has been given permission to view the hi-res documents.

I would pass Ivana's information about the security issues that can be caused by sharing a user name and password to your client and suggest using a Role to permission the Hi-Res photos and the registration of each user that wishes to access those files.

P.S.
The reason I suggested that you create a custom document type and a handler for the Hi-Res photos is that you would otherwise have to set the site to check permissions for all files, which will cause the site to take a considerable performance hit.

Massive thank you for giving me some great advice and information.

After a bit of a discussion with the client, I have managed to change the client's mind and we're now going to have a separate area for the downloadable images, with it's own login page - so it has become a whole lot simpler.

Thanks again.

Bev