See, that's another situation. I don't see why the employee has to be able to run that script himself. He could for instance communicate with a daemon running with sufficient permissions to launch the script on his request, where launching that script is hardcoded in the daemon and cannot be parametrized from its employee-side interface. (In practice, this communication is encapsulated by a tool or interface.) That way, he never gets to actually see the script. All he can do is command the system to do exactly what he is supposed to be able to command it to do and nothing else.

Deny by default is the only sane and unflawed approach to security. Never grant any permissions that allow more abilities than essential. A user who is supposed to be able to start one script with a fixed set of parameters has no business having a shell account.