Welcome larkojr to Webmaster World!

Add a 'Are you human' test in between the main page and the file server.

It could be a random math question (js scripts are available) or have a check box they have to check to enable the download button.

By "file server" you mean a web server that only serves static files? Is it running Apache as well? If so, you can block by referrer using mod_rewrite If you are using a different web server (sotware that is) it should have some way of blocking by referrer. Something like

RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule (.*) - [F,L]

If the hotlinked files are images try:

RewriteRule (.*) /hotlink.png [L]

instead for the second line, and have a "no hotlinking" notice at /hotlink.png

The above is untested, but it and the Apache docs ([httpd.apache.org ] should be enough to fix the problem).

It isn't completely clear from your post what's on the second server:
-- supporting files used only by pages that live on the first server
or
-- files that can be separately requested and used

You also have to decide what to do about requests that come in with no referer at all, because some human browsers don't send one. What about search engines? Do you want your files indexed or not?

If you are not concerned about the occasional referer-less human visitor, and server 2 is only used for supporting files, it's the basic hotlink routine:

RewriteCond %{HTTP_REFERER} !^http://www\.example.com/
RewriteRule \.(png|gif|jp?g)$ /hotlink.png [L]

Make one rule for image files and different rules for other filetypes (such as sounds) if you've got them. You can also do a flat [F] and deny the hotlinks outright. But people who hotlink images will often take them down faster if the site displays some horrible picture instead. (Mine's a lurid black/magenta/green picture that nobody could possibly ignore. It is not needed very often.)

In the RewriteCond, do not say [NC] and do not make the "www." optional. That way, fake referers will get the door slammed in their faces. Your real site has a name-canonicalization redirect (er... doesn't it?) so correct referers will only have one form.

If supporting files in certain directories are only used by specific pages, put that in the referer too. It's all too easy for robots to send a blanket "example.com/" referer for all requests.

The bad news: It is impossible for the server to distinguish between these two types of referer:
-- a file (of any kind) that was requested by explicitly clicking on an <a href> link
-- a supporting file that is used by a page, for example by <link rel = "stylesheet"> or <img>
The identical "referer" header is sent either way. And, of course, the referer could be fake.

The good news: Most humans who hotlink images are really quite stupid and have no idea how to circumvent a simple barrier. Even if you allow referer-less requests-- the kind you'd get if someone copied the image URL from a forums post, Facebook page or email, and then pasted it into their browser's address bar-- you're already excluding most hotlinkers.