Basically I control several servers and I only host either static websites or scripts which I have designed, so I trust them up to a point.
However, I have a few customers who want to start using scripts such as Wordpress or many others - and they want full control over their account.
I have started to do the basics - like on php.ini, I have locked it down and restricted commands such as proc, however, there is obviously a lot more I can do.
right now, using NTFS permissions, I am trying to lock down the server by running Application Pools and individual sites in their own user, however I feel like I am hitting brick walls... (My old question on Server Fault).
At the moment, the only route I can think of is either to implement an off the shelf control panel - which will be expensive and quite frankly, over the top, or look at the Microsoft guide - which is really for an entire infrastructure, not for someone who just wants to lock down a few servers.
Does anyone have any guides that can put me on the correct path?
First, I'm making some assumptions, so please excuse me if I missed the point of your question. I'm assuming that you are providing some web hosting services for some of your clients, and now they are asking for control over the web host, as opposed to you doing all the work for them.
Two words: virtual machine. Don't give them access to your host web server. Let them have full control of a VM instance - if they muck it up, your more valuable host is not harmed or tampered with - only their sites & services. Then you can give them administrative control over the instance and not have to worry about it (except for backups of their initial instance - but that depends on your contract with your clients). They'll also feel more special when you give them an administrator account. :-) I highly recommend this path if it is at all possible for you.
If that's not an option and you're OK with sharing your host system with your clients, I would then suggest partitioning one of your disk arrays such that your client has their own volume to host their sites and data from. You could create a base directory for them within your own , but then you have to muck around with NTFS permissions and inheritance, which, depending upon the complexity of your file system, could get ugly.
If it's an option, it's much simpler to create a new volume/partition - with their own volume to use, security will be much, much simpler as you could give them full control over the volume, and you can assign disk space limitations as well so they can't fill up your disks and bring your system to a halt.
I think you're on the right track with the separate application pools and separate sites. You may want to look at this article on the delegation of rights to manage sites and applications (iis7). It'll get more complicated if they start using databases - however, if all they want to do is host some static content, the above should keep them from running amok.