Security Enhancing with htaccess

What kind of security can be implemented from within the Apache Web Servers htaccess files?

Recently I was asked the following question and decided to post it here for others.

I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.

order deny,allow
deny from all

Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.

order deny,allow
allow from all

Darn it all, the student is now able to run php scripts in his directory.

I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.

My thoughts

You need to remove their ability to execute scripts. Heres a couple different ways I do it.

Inverse AddHandler ExecCGI Hack

This is cool, the AddHandler directive sets all the files ending in those extensions to be handled as cgi-script. The next line uses the Options directive to disable cgi-script completely. This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Combine that with

order allow,
deny deny from all

Then you might try blocking most HTTP Request Types, and disabling the RewriteEngine.

Options -ExecCGI -Indexes -All

RewriteEngine On
RewriteRule .* - [F]

RewriteEngine Off

If you'd rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:

RemoveHandler cgi-script .pl .py .cgi
ForceType text/plain .pl .py .cgi

Preventing Executables

Options -ExecCGI
RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5