Apache directory security best practices

[s0c0]

My php app allows users to store files on my server.  Each user has their own directory on apache where the files go.  Currently I have this directive:

 

 Options MultiViews -Indexes SymLinksIfOwnerMatch IncludesNoExec

 

Which gives the user a forbidden error if they were to try to navigate to www.example.com/user/ted.  Is this the best way to do this or should I be doing this a more elegant way?  While this is ok security I guess a program could be written that brute forced http requests like www.example.com/user/ted/file.zip ... file2.zip ... file3.zip etc and eventually it could download a file.  So what are best practices on making this more secure?

 

Anyways I'd appreciate your thoughts on this matter.