Hi auke1,
You're actually partly right... the .iso file you downloaded is everything. It contains the OS plus all the packages that you'll need or want.
The other files that you mentioned are merely there to help you verify the authenticity of the 4.5Gb .iso file you downloaded. Briefly, a so-called hash was created for the .iso file using the md5 algorithm. If you open the 1kb MD5 file, you'll see it's just plain text that contains the name of the .iso file and a cryptic key. You can then use various tools which use that cryptic to verify the .iso file has not been corrupted when downloaded, or altered by anyone. Without going in to too much detail, if the contents of the .iso file were in any way modified (either intentionally/maliciously or not) then the cryptic key would not match, so you'd know in advance that the file was not to be trusted.
Hope that makes sense... I'm not sure I've explained it as best as possible, but post back if you're unsure about anything