Providing file upload/download facilities is a huge can of worms. In addition to the possibility of attacking your server there's also questions about data smuggling. malware and intellectual property. But since you are specifically asking about the former...
Disabling PHP execution in this way only provides a single layer of prevention. if that layer fails for some reason then your security is gone. Also, this only prevents execution of the content if the webserver is pointed directly at the URL of the file - it doesn't provide any protection if someone can trick the existing php code into including the content.
A minimal approach would be to store the content outside of directories accessible by URLs (i.e. outside of the document root and any other mapped directories).
This does not prevent the inclusion vulnerability but eliminates the direct addressing vulnerability. All access to the content must then be mediated by a PHP script. But on the upside, its a lot easier to avoid OMGWTFs like:
ForceType application/octet-stream
Switching off PHP execution (php_flag engine off) is a better solution to disabling execution than changing the mime type. Forcing a mime type like this is always a bad idea.
An alternative/complementary approach, would be to encode the files thus preventing code inclusion vulnerabilities.
It's also a good idea to allocate your own filenames to the artefacts on your host filesystem.
