P.S. ispconfig user have shell with /bin/false or with /dev/null
And "ispconfigend" user - it is ispconfig user? I have this user.
Thats both ok. The shell of the website users depend on the website settings, e.g. if FTP is enabled and the ispconfig and ispconfigend users are from the controlpanel server on port 81.
Regarding your other question, see answer from mini14 and the ispconfig first steps guide. There are also quite a few hardening tutorials available which explain to selectively deactivate functions in php etc.
You should also use the php safemode option from the website settings.