This is a tricky one: when visiting an asset link that is behind a login restriction, the postLoginUrl is currently set to the asset URL. What this means is that the asset will download immediately after login, but that the user may be either left on the login screen or redirected to the homepage (depending on their browser).
There are a couple of scenarios:
User has visited the download link by clicking on a link within the site: in this case, redirect to the page containing the link
User has visited the download link directly or from external site link: not sure what to do here yet (needs more thought)