My previous article which explains how one can easily get the URL / download link posted by vendor without purchasing it.

http://www.aliroman.com/article/a-bug-in-2checout-passback-variables-26-1.html

the reponse from 2checkout.com support is as follows which they have provided to me. They said it is recommended not to provide the URLs, then I guess this feature must be disabled or at least one shoule know that people can easily get their product without purchaisng it. Here is the reponse, I am posting it here so that you can better understand how everything works (only for educational purpose)
 
Note : I am just copy and pasting a few points form the email.
The ability to include ‘demo=Y’  to return to the vendor defined approved URL
without placing a valid order is not a security flaw, it is the intended usage
of this parameter.  It is included in the parameter set in order to allow for
vendor testing, from the start of the order process (passing the parameters to
2checkout’s purchase routine), to the end of the order process (returning to
the Approved URL defined by the vendor).

It is true that if a vendor defines an approved URL allows access to the
downloadable product/service they are selling, and the vendor takes no further
security precautions, someone could download the product/service by including
the ‘demo=Y’ parameter.

It is not recommended to provide a downloadable product/service to a customer
immediately after a sale completes by means of a return to the Approved URL.
It is recommended to allow the fraud review process to complete before
providing your customer with the product/service.

We realize that some vendors may not wish to wait for the fraud review process
to complete before providing their customer with a downloadable
product/service.  For such vendors, the MD5 hash is provided to help verify
the authenticity of a sale.  We intentionally break the hash code that is
passed back if the ‘demo=Y’ parameter is used. You can compare the value of
the hash we pass back with the value of what the hash should be (this needs to
be calculated on your end). This will allow you to determine whether or not to
provide the customer with the downloadable product/service.  It should be
noted that when using this method to provide a downloadable product/service
immediately, you do run the risk of having your product/service stolen by
someone placing a fraudulent order with a stolen credit card.

For full details on using the MD5 hash please refer to the following Help Desk
article:

https://support.2co.com/deskpro/faq.php?do=article&articleid=336

If you choose to provide a downloadable product/service immediately after a
sale using the Approved URL, and do not check the MD5 key which is passed to
the Approved URL to verify the validity of the sale before providing a
customer with a product, then you are accepting the risk that your product may
be taken without being paid for by someone who includes the ‘demo=Y’ parameter.

 
Now, I guess one must check twice before giving an instant download link after the successfully payment, becuase as a vendor I know there are a lot of people using stolen credit card to make purchases which end as a CHARGEBACK or refund.