XAMPP, WINDOWS2003 VDS, PHP5, APACHE2 Free hosting script creates users in folder http://pcsny.org/users/%username% for example: if new user has login=newuser then his directory is http://pcsny.org/users/newuser/ and http://newuser.pcsny.org httpd-vhosts.conf looks like this ################################################### <Directory "C:/aweb/freehosting"> Options Indexes Includes FollowSymLinks ExecCGI AllowOverride all Order allow,deny Allow from all </Directory> <VirtualHost *:80> DocumentRoot "C:/aweb/freehosting" ServerName pcsny.org ServerAlias www.pcsny.org php_admin_value open_basedir "/" </VirtualHost> <VirtualHost *:80> ServerName pcsny.org ServerAlias *.pcsny.org VirtualDocumentRoot php_admin_value open_basedir "C:/aweb/freehosting/users/" </VirtualHost> It is working but not secure enough because of this php_admin_value open_basedir "C:/aweb/freehosting/users/" Bad script can see and fully control anything in folder /users/ I tried to do so php_admin_value open_basedir "C:/aweb/freehosting/users/%1/" Bad alas it is not so easy as with VirtualDocumentRoot So I’ve got some questions: 1. How to lock users in their respective folders 2. How to disable user to access his web page through http://pcsny.org/users/%newuser%/ and redirect them to appropriate sub domain (because this way they gain full control over system)? 3. Will .htaccess in user’s folder override all my security efforts to zero? How to prevent this without disabling .htaccess?