I am not sure if this is like a "drop-off only" or if they're supposed to be allowed to access these files after they upload...
But most likely you are looking maybe here on the menu in the Control Panel: .htaccess/WebDAV
Through here, you can create a folder (say, the uploads folder) then make it password protected by checking that and entering in some user accounts/passwords... You can also block certain file types, and they have a few added in already for example. I would leave "WebDAV" unchecked, since these likely aren't going to be WebDAV folders.
I am only days new to this interface, myself... so I'm still learning my way around, but hopefully that may steer you in the right direction?