The easiest setup is to use cFos PNet with one user. To increase security, you should create a limited user and run cFos PNet as this limited user. Prior to offering public services, you limit access of your drives and folders (using the Windows security settings), so that the user impersonated by cFos PNet may only access it's private and public folders.
Don't use client data uninterpreted. For example, if your webpages allow user input which is displayed as HTML, you may want to clean the input first to prevent <script> or <iframe> tags, etc. from being included in the output pages. Otherwise all kinds of cross-site attacks are possible.
Filenames should always be checked, so access is restricted to cFos PNet's public folders only. You can use the filename_ok and absolute_filename functions for this purpose. For example an attacker might try to use filenames like this: "..\..\..\windows\..." in order to make your scripts access the Windows folder, instead of the public folder.
Best practice is to run everything under a limited user and restrict access only to the cFos PNet files.