I think you can do this with the FTP-Security server
A rule like this shoud do this.
Code:
Source Destination Service Action Comment
!Net_200 My.DMZ.ftp ftp->download Accept 'restricted download'
With an open proxy's or other tools this rule cannot see the source IP.
I agree with you that this is better handled at the application, maybe you can restrict the access directly at the ftp/http server.
Some other suggestion if the software is not *free* is to change the download process (only approved downloads) ...