Can you do it backwards? I.e. set the site default, at the head of the webroot, so that it disables executables and scripts for the entire site, and then selectively turn them on for the sections that need them? If the user directories get created more often than the other directories on your webroot, this seems like the way to go. Sure, it's a pain when you're building your 'own' pages, but you have more granular control over the non-user directories anyways since these are usually specific objectives...

You might also want to check into Access Control Lists. They give some documentation on Microsoft's site about these, I know there's a command-line command you can use to set someone's access programatically...

andre germain
"Wherever you go, there you are."