Not sure what zip file you're referring to, but once you've extracted a plugin to its directory you don't need the zip file anymore so can delete it, or move it outside the public directory.
To block access, if you're on Apache server you can put a .htaccess on that directory with this:
Deny from all
This allows access from PHP and stuff on the server, but prevent access through the browser. Be warned that it prevents access to all files, so if you have some CSS/JS or some PHP files that you load manually through the browser they will not work. You can copy the htaccess to multiple subfolders if required.
Another option is to limit access to certain file types only. I think this would work:
<FilesMatch \.zip$>
Deny from all
</FilesMatch>
