Obviously I'm not an expert Labview programmer, but your idea sounds like a good one. I'll give that a shot. I've also noticed that if you text-parse a VI you get a few common tags, so I can get PHP to check those. It's not foolproof, but ought to work as a stop-gap.
As for security, I'm so far handling it on the web-server side of things - PHP calls the VI into memory under a restricted account, so theoretically it shouldn't be able to delete files. However, I'm not 100% sure that I can launch the Labview web server under the restricted account. I need to do some reading on labview and remote VIs (i.e. what is a Remote Panel Container?)
Anyway, this is for a distance-education class, and will be run through the department user authentication system before getting to the PHP upload pages. There will only be a dozen students or so, so if one of them decides to trash my webserver, they'll find themselves in front of a disciplinary committee pretty quickly I would think.
Regardless, I've been working under the assumption that Labview doesn't have the capability of securing a system like this. If there is some sort of inherent security for restricted what a VI can do, then I'm all ears. Whatever the security is though, it can't restrict the VI's ability to access the DAQ card, since all the hardware they're using is on a remote ELVIS board.
Thanks for you help,
-Xo