The easiest setup is to use cFos PNet with one user. To increase security, you should create a limited user and run cFos PNet as this limited user. Prior to offering public services, you limit access of your drives and folders (using the Windows security settings), so that the user impersonated by cFos PNet may only access it's private and public folders.
You can also allow different users access to the cFos PNet folder tree. By setting the user directive in .htaccess, you determine which user is impersonated when serving the corresponding folder. JavaScript execution is also done under this user impersonation. Use the Windows security setup to restrict access for each user only to the files and folders that user needs. It is, for example, possible to include arbitrary include files using the server side include (SSI) mechanism. To allow a certain user only access to his/her files, you need to restrict his/her access to his/her folders only.
Don't use client data uninterpreted. For example, if your webpages allow user input which is displayed as HTML, you may want to clean the input first to prevent <script> or <iframe> tags, etc. from being included in the output pages. Otherwise all kinds of cross-site attacks are possible.
Filenames should always be checked, so access is restricted to cFos PNet's public folders only. You can use the filename_ok and absolute_filename functions for this purpose. For example an attacker might try to use filenames like this: "..\..\..\windows\..." in order to make your scripts access the Windows folder, instead of the public folder.
Best practice is to run everything under a limited user and restrict access only to the cFos PNet files.