IWP security settings?

I know IWP isn't terrible secure to begin with, but I want to at least try to lock my solution down as much as possible. The database is powering a signup/registration page (why they couldn't find someone to make something with PHP or similar is beyond me... ) so the users need much more access than the usual setup.

As it stands now, a script locks the user to one restricted layout and locks out the menu items on load and creates a new record.

Users have to be able to create, modify and delete records, however, becase the only way I could make an "unsubscribe" function compatible with IWP was to set info from the "new" record to a global field, delete the record, and then search old records for places where the global field matches, to then modify that record. Not the cleanest answer, but it works...

I'm a little worried though that it's too much acccess for the general web-using public. If I restrict users to a data-entry mode but allow them to run scripts with full-access, will that work? IE, if my script has full privileges and it runs a delete command, will the script work when the user personally lacks privileges to delete?