You're adding levels of confusion to the user, and overcomplicating the system.

I'd rather lock down Apache and just grant broad access to the service. Use rinetd to allow Apache to run on a non-priveleged port, eliminating any paths to root. Drop any uneeded modules, configure SELinux to compartmentalize Apache and PHP's acess to the system, etc. Since only *trusted* users are going to be on the system, you don't have to worry about the broad security issues of a shared hosting environment. Instead, you can concentrate on mitigating web vulnerabilities.

You can use a VPN to allow for remote service access for SSH, FTP, and anything else you need on the administrative end.