OK, lets assume that each site is hosted under d:\users on the machine, with the domain name (without the dot) as the user's directory and their username. The FTPRoot is d:\users, the wwwroot for each site is d:\users\[domain]
set it so the "Users" group has LIST access to the d:\users level only (not subdirectories). Then each user would have CHANGE to their directory. Further more, create a IUSR_[domainname] (e.g.IUSR_domaina) and assign it READ/EXECUTE rights for that part of the tree and assign it as the anonymous user for that virtual webserver. This stops people accessing parts of other user's sites in ASP.
When domaina logs in, their will default to d:\users\defaulta (a feature of the MS FTP Service). They will be able to list all other domains on the server (you need LIST access, of they cannot login) by going up one level, but if they try to access any other part of the tree, they will get ACCESS DENIED.
I highly recommend that you either buy a book on administrating an NT/2000 server, or pay someone to lock down your box for you. The quickest way to lose business in the Internet world is to have very little knowledge about basic security requirements.