With regards to a cronjob which periodically changes permissions:
On linux its trivial to see if there is an open file handle on the file with lsof or fuser. If you created a cronjob, simply have it check for an open file handle and skip a permissions change on any file which is currently being accessed.
There is still a race condition chance where someone could open() the file between the time of check and execution of the permissions change. Shell scripts aren’t atomic.
A better idea might be to create a sticky bitted directory without read permissions, which a cron job periodically goes through and moves file to a read only directory to make available for download.
In both cases, you don’t want your cron job to be “rude” and run too often but you also want the files to be available as quickly as possible. I’ll leave the frequency as a exercise for the reader.