Just out of curiosity, wouldn't netcat be run under the same user as the web server itself? If that's the case, surely having the shell for whatever user the web server runs as set to /bin/false would remove the ability of any program to execute in this manner.

I'll have a play with my web server though later on or tomorrow to be sure, as I host a few personal websites on one of my Gentoo boxes. Results to follow....