1. On the RaQs (all), any file in the web tree which ends in .cgi or .pl will be processed as a CGI. You don't need a special directory.
When a user connects via FTP, they will be in their own "home" directory. The vsite web directory is "next to" them in the directory tree, so they have to change up 2 directories, and back down into the vsite web directory if they want to up/down load site content.
2. Yes, you can password-protect directories, but there's no UI tool to do it. You have to shell in and make the .htaccess and .htpasswd files manually.