No, he can't "use all the apps he want". NAT, and even static 1:1 NAT,
breaks some applications which transmit network addresses in the payload
to establish dynamic connections. It includes FTP, IRC DCC, H.323, SIP
(voice over IP), RTSP (video streaming)...
> but ...
>
> a) active ftp does not work
FTP is the most common of those applications which can be broken by 1:1
static NAT. You need to "help" the application with a "helper" iptables
module. There are usually two modules for a given protocol : for FTP,
they are ip_conntrack_ftp (keeps track of FTP connections) and
ip_nat_ftp (NAT FTP data connections and, most important, mangles
network addresses in the control connections payload).