CGIWrap includes faclities similar to the cron facility for controlling who can access scripts. In general, I don't use this facility except to have a deny file available in those cases when I see someone abusing cgi scripts/extreme CPU utilization/obvious security hole/etc.
Note that none of the below is effective unless you have enabled access control files when you configure and install CGIWrap.
Basically, in order for a user to be allowed to execute scripts through cgiwrap: If the allow file exists, the user has to be in it. If the deny file exists, the user can't be in it.
With host checking enabled, it is (i think):
where x is the network and y is the mask. Userid can be * to match all users at that network/mask.
If both global and vhost are enabled, both wil be checked.