...and if so redirect them to www.example.com/folder/number/file.ext
Don't redirect them. readfile() this file and send it straight to the client, with the appropriate headers. The user never knows where the real file is located. Then you can simply password protect (HTTP Authentication) the real directory so that it's not accessible to any users, or have this directory above the webroot.
Yes, above the public_html folder (ie. $_SERVER['DOCUMENT_ROOT']). PHP should have no trouble accessing this area, but it's impossible for end users to access this area directly, and so you don't need to setup any additional security.