Proxy servers and NAT (network address translation) can provide major barriers to getting useful information from $ENV{'REMOTE_ADDR'}. For instance, if you've got a set of users coming in from, say, AOL, they'll all appear to have the same IP address.

If you want to identify individual users, you're going to have to resort to some manner of login/session tracking or browser via cookie. See merlyn's WebTechniques articles for suggestions.

REMOTE_ADDR is hard for the casual hacker to forge, but if someone serious comes after you, you have other problems.