mIRC already disables /run and /dll, but I can think of a few ways still to do evil things.
Whadda bout a 'safe mode' switch (which can be configured in an advanced panel), enabled by default, so that users who don't understand WHAT A DLL OR PROGRAM DOES, they will have to actively fight thru dialog warnigns to enable it.
Features to disable, suggestion:
Any files in mIRCdir or above, specifically mirc.ini's:
/write [-c]
/copy [-o]
$findfile
Other
sockets - debatable, they have a lot of positive uses, but do you want people to be able to read the contents of your files to an open socket? Which isn't too hard...
/com
/run & /dll of course...
/load from anywhere but the commandline
there's prolly a few more but i'm tired...