This is not ispconfig specific as this is the same for all webservers using PHP. suphp is restricting users to s specific directory and is also able to chroot them and more detailed restrictions can be set when you assign a specific php.ini file for a site were you disable all functions like exey, system, passtrogh etc. that might be dangerous and which were not needed by the site:
http://www.suphp.org/DocumentationVi...=apache/CONFIG