Basically I control several servers and I only host either static websites or scripts which I have designed, so I trust them up to a point.

However, I have a few customers who want to start using scripts such as Wordpress or many others - and they want full control over their account.

I have started to do the basics - like on php.ini, I have locked it down and restricted commands such as proc, however, there is obviously a lot more I can do.

right now, using NTFS permissions, I am trying to lock down the server by running Application Pools and individual sites in their own user, however I feel like I am hitting brick walls... (My old question on Server Fault).

At the moment, the only route I can think of is either to implement an off the shelf control panel - which will be expensive and quite frankly, over the top, or look at the Microsoft guide - which is really for an entire infrastructure, not for someone who just wants to lock down a few servers.

Does anyone have any guides that can put me on the correct path?