I run php via cgi under my windows server 2008(helm cp).but it has a big security issue,you can have access to all domains from only one domain, I mean on the shared hosting, a client can hack all domains of the server by a simple .php page.
I configured some items on php.ini,but the problem didn't solved,would you please tell me what should I do?

Yes, read these articles:

http://learn.iis.net/page.aspx/246/using-fastcgi-to-host-php-applications-on-iis-7/
http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/

Yes, read these articles:

http://learn.iis.net/page.aspx/246/using-fastcgi-to-host-php-applications-on-iis-7/
http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/

Those are two good articles. Sounds obvious, but also make sure that you've removed the 'users' group from all of your 'domains' folders and their parent folder.

http://help.dotnetpanel.com/HOW-TO/Home/How%20to%20prevent%20users%20to%20access%20anothers%20user%20folder.aspx

I run php via cgi under my windows server 2008(helm cp).but it has a big security issue,you can have access to all domains from only one domain, I mean on the shared hosting, a client can hack all domains of the server by a simple .php page.


Simply because you did not configure files & folder permission correctly.
jackpx's link is a good start for the correct configuration.

Thanks for your replays ,but my server is windows server2008 and if I remove user permission,all of sites go down.I set a user with deny permissions for helmwebusers,it solved ".asp" security hole but php didn't work via helm and I don't know what should I do with it.

Deny Users permission does not work the same way as remove Users.
Are you using Helm 3 or Helm 4?

helm4,I try this but it downed all sites.