For multiuser systems, if you don't trust the individual users for whatever reason, but they might need CGI access, I prefer using CGIWrap (or for Apache, suEXEC).

As the CGIs are then run as the individual web user, and not the httpd user, you can use standard unix groups to control who has access to execute perl. (well, that assumes they don't just drop a new copy of perl on the system, as they must have write support, or you wouldn't be asking the question).