They just trace many things about you - cookies, IP address, refferer link, browser name.

Most often it is done by using php function readfile:

if(is_allowed_to_download()){
    header("Content-Disposition: attachment; filename=".basename( $file ));
    header("Content-Type: application/octet-stream");
    header("Content-Length: ". filesize( $file ) );
    header("Content-Transfer-Encoding: binary");

    @readfile($file);
    exit;
}

Less often server specific solutions is used - sending header X-SendFile: file-location.exe for lighttpd and apache with mod_xsendfile (nginx also have some equivalent). These are slight better, because http servers are optimized to serve content and allow for advanced usage like Range headers (for download accelerators).

If you precede your DownloadFile() function with some security verification you can easily protect the file, either via using the user_session or sending the password as part of the query.

Generally, these don't redirect to the file's URL. Instead, they use readfile() to directly output the URL from wherever it's being stored (usually, somewhere outside the web root). Solves the direct link, password protection, queuing, etc. issues. Speed limiting would need to be on the web server end.

This isn't really a PHP-specific issue. In order to make the web browser "download" (whether it be the contents of a static file or the body of a dynamically generated report), set the Content-Disposition header in the HTTP response. PHP allows you to set the HTTP headers using the header function, so your PHP script should do this before streaming the file contents back to the HTTP client.