[Zope] protecting users from hostile authors

[Kyler B. Laird]

We're in the process of building a cluster (just
installed 8 machines) for serving a bunch (tens
of thousands) of users.  Many/most of these
people will also be authors.  A single (X.500-
based) authentication system will be used for
most everything.

I'm trying to get a handle on what policy I want
to use in order to keep authors from doing Bad
Things to authenticated users who visit their
pages.

Looking around on Zope.org, I realized that this
might already be addressed.  Is there anything
that prevents me (as a Zope community member
with authoring privileges on zope.org) from 
luring users who have already authenticated with
Zope.org to come look at my pages, and then
running arbitrary commands with their
privileges?

Anyone else grappling with this situation?  I'm
trying to decide how to set policy so that users
are reasonably safe, but authors still have the
freedom to create Cool Stuff.  There will most
certainly be multiple classes of authors - those
who can act with the authenticated user's
privileges and those who can not.  I'm not quite
sure how to implement that yet, though.

I'm also concerned about links to Bad Things,
like "delete your home directory" disguised as
"Get porn here!".

Any thoughts?  Has this already been hashed out
somewhere that I should have found?

Thank you.

--kyler