It's ok, but you should keep in mind that referer is easy to manipulate and some people have it turned off entirely. I think a better way would be to set a session variable on your landing page and then check for it on the download page, for example:

in index.php
session_start(); // if you don't have session auto-start turned on
$_SESSION['entered'] = time();
$_SESSION['valid'] = true;

then in download.php
session_start();
if(isset($_SESSION['valid'])) {
// optional "timeout":
if(isset($_SESSION['entered']) && ($_SESSION['entered'] > (time() - 1800))) {
} // EndIf was at index within last 30 minutes
else {
} // EndElse this session is "expired"
}// EndIf has been to landing page
else {
} // EndElse not from around here

You could adjust that 1800 to whatever you think is reasonable, or of course not implement it at all.

However, this all could be moot depending on how you serve the download. For example, if you're at:
http://www.example.com/download.php

and I'm about to click on a link for somefile.zip, is it:
http://www.example.com/somedirectory/somefile.zip

Because I can probably type that address directly into my browser to get the file, since a script would never get a chance to examine it. To lock that up you'd have to deliver the file via script - using fopen() and fread() to get it from a secret/protected directory on your server and sending data directly after sending the appropriate header to the browser.

thank you for all the code. I will try make it a session.

solved!