Hi,
I think the proposal is good. I guess I am a offender of this security problem you have mentioned. Since I normally put my templates, gif, css, etc. on a single folder. Like www/templates/subsite1.
I think we should however use /includes rather than /templates since that is what we are particularly trying to secure. The includes that do not do any checking. /includes is more explicit to tell the developer to place his includes in /includes.
I guess given this structure I would not have to structure my templates as:
/www/resources/subsite1
/includes/subsite1.
Maybe /templates is better since will put also masters there. Anyway just suggesting that the name should be more obvious to the developer.