There are ways to limit CGI capabilities to work as they usually would, yet deny them anything that's too much like shell access. You can still deny their user, or a global user access to certain or all functions, or filter, wrap and control them. Of course, this isn't an easy task for most people, but it's one worth while in doing, wherein you allow the client's all the access they could want or need via CGI, PHP, etc., yet still not allow them the same access they'd have in shell.
I'll post here in a couple of days, when I have some free time and attempt to explain, cover the issues, aspects and theories and at least outline a solution that can be implemented, as well as try and explain exactly what and how to. However, as the other user said, unless these things are done, you are basically giving them shell access, although it can be controlled a little easier when denying them, whereas shell restrictions prove more difficult for the most part. Of course, some things are easier to restrict in shell, than they are in CGI too.