Chances are you are duplicating some functionality of your web server in this effort. Typically this is configured as a deny/ allow statement. For Apache, see here. I don't know what the equivalent is for IIS.
I think the only thing that would justify this is the possibility that you don't control the webserver, but can run CGI scripts. You should still know that the envrionment variables can be faked through assorted means, and could still allow unwanted access.
Also, as my celebratory "use CGI" week wraps up, I'd like to suggest that you use cgi.pm both for the HTML and for accessing the env. vars.