I suppose this concerns Apache more than Zope, but it might be a little cleaner to put the PCGI wrapper into its own sub-directory... Has anyone given thought to security questions arising from using Zope.cgi? I had to add <Directory "/path/to/Zope2"> Options ExecCGI </Directory> This makes me wonder if there might be some way to trick apache into trying to execute any of the other files in this directory (to my knowledge, not possible). The rewrite rule should prevent this, though I'm not entirely comfortable with this, since it depends on zope being up and running. Having only *.cgi files is nice, although a trojan file could be introduced if the administrator is a little careless (since zope's install leaves it to the user to correct permissions). But if you use -DSECURITY_HOLE_PASS_AUTHENTICATION instead of the rewrite rule, you have to move things around... My $0.02: it might make sense to move Zope.cgi to a subdir by default, if only to lessen the likelihood of security holes appearing...