I liked the simplicity and robustness of Ken's answer: use unix groups.
> We would like to create accounts for restricted users
To be sure we understand the requirements, what precisely do you mean by
"restricted users"? Do you *only* mean the following?
> These users would have access to the filesystem
> as appropriate, but would not be allowed to run the applications living
> under /opt and /usr/local.
If you only mean the above, then in the context of "primarily for data
sharing purposes", what precisely do you mean by "access to the filesystem as
appropriate"?
Regards,
Dan W.