XAMPP, WINDOWS2003 VDS, PHP5, APACHE2

Free hosting script creates users in folder
http://pcsny.org/users/%username%

for example: if new user has login=newuser
then his directory is http://pcsny.org/users/newuser/
and http://newuser.pcsny.org


httpd-vhosts.conf looks like this

################################################## #
<Directory "C:/aweb/freehosting">
Options Indexes Includes FollowSymLinks ExecCGI
AllowOverride all
Order allow,deny
Allow from all
</Directory>

<VirtualHost *:80>
DocumentRoot "C:/aweb/freehosting"
ServerName pcsny.org
ServerAlias www.pcsny.org
php_admin_value open_basedir "/"

</VirtualHost>

<VirtualHost *:80>
ServerName pcsny.org
ServerAlias *.pcsny.org
VirtualDocumentRoot
php_admin_value open_basedir "C:/aweb/freehosting/users/"

</VirtualHost>


It is working but not secure enough because of this php_admin_value open_basedir "C:/aweb/freehosting/users/"

Bad script can see and fully control anything in folder /users/
I tried to do so php_admin_value open_basedir "C:/aweb/freehosting/users/%1/"
Bad alas it is not so easy as with VirtualDocumentRoot

So I’ve got some questions:
1. How to lock users in their respective folders
2. How to disable user to access his web page through http://pcsny.org/users/%newuser%/ and redirect them to appropriate sub domain (because this way they gain full control over system)?
3. Will .htaccess in user’s folder override all my security efforts to zero? How to prevent this without disabling .htaccess?