I've tested the Download product type.
Once order approved, the download is available in "My Downloads", as expected, and the download link is http://website.tld/products/in-commerce/elements/download.elm/test.html?env=file.downl--- .
I've been very surprised to discover that this download link works anytime, on any other browser, even after I logged out. How does filtering on download permissions applies? Does this problem belong to my local installation?