Vulnerbilties:
You do not sanitize 'email' on your download page which leads to a SQL injection (
http://ca2.php.net/manual/en/function.mysql-real-escape-string.php)
You do not sanitize your "$_GET['download_file']" request on the download page which leads to full web-server-user access to the filesystem. A crafty attacker could make their file '../../../../../../../../../etc/passwd' and access any file that your web server has access to. There are several ways to correct this, you could do a regex filter for just "A-Za-z0-9\." which would only allow alpha-num and periods, or you can filter out slashes. There are several other methods, but I prefer the regex.
Errors:
You set "$fullPath" after you have used it first (logical error)
Your switch at the end uses a semicolon instead of a colon for "default"
You are missing a semicolon in your $header assignments. (I assume this is because you just edited these in quickly at the end)
Die is a function, not a language construct: you must surround paramaters with parenthesis. (The last die in your script should be die("blah blah blah"); instead of die "blah blah blah";)
Suggestions:
You do not sanitize your URLs (
http://ca3.php.net/manual/en/function.urlencode.php)
Convert all user-enterable values as a single case when hashing. ie, $gToken = hash('md5', $email . time()); would be $gToken = hash('md5', strtolower($email) . time());
Do not store your downloadable content in a 'hidden' web-accessible folder. If possible, keep the content is a folder below your web accessible folder (ie, if your content was in /var/www/htdocs/, keep your downloadable content in /var/www/downloads/)
Change your 'Used Increment' statement to use the DB value rather than a fetched value. This prevents users from accessing the page all at once quickly and the counter not incrementing properly. (Allows for more than 3 possible downloads). The query would be "UPDATE removed SET Token = Token + 1, Used = '0' WHERE Email = '" . mysql_real_escape_string($email, $con) . "'"
Avoid printing mysql_errors in non-dev environments, and just leave the 'could not connect' message.
While not wrong, I suggest you include your link identifier ($con) in your query and sanitation function calls. It's a good habit to be specific when you can. :)
And that's just a quick scan. It is really easy to make vulnerable code in PHP as you can tell. :)