If you disable /write then you must also disable /bwrite, /fwrite, and /writeini otherwise it's pointless. The same goes for $decompress() if you disable $decode(). Quite frankly, even then it's a trivial matter for anyone with a malicious nature and 5 minutes on their hands to create some obfuscation based on text identifiers. You'd also have to limit /alias from the command-line, otherwise it'd simply be a case of assigning the malicious code to an alias and then calling that instead. Bottom-line, there's no way to prevent ignorant people executing 'bad' code via the command-line without crippling the scripting language from there. Personally I think there should just be a 'disable command-line scripting' option and let that be the end of it.
Oh, and while we're on the subject, I'd really like %var = value assignment syntax to be available from the command-line again.
