One way to do this is register a filter (ad_register_filter) on the appropriate URLs. You can create a small package (which I did once, long ago, but have since lost) which you mount at the URL you wish to set the permissions on (e.g. /cgi-bin), which basically just register the filter in its init script, and then you can set the appropriate permissions from the site-map. Unless you put some effort into it, it will probably require that you restart the aolserver when you mount or unmount an instance so that the filters are up to date.
