This is what I've done when I wanted to reduce the set of commands a
user could run. I'm sure a reasonably competant Unix user could easily
circumvent these restrictions, but it's a good first start, and making
such attempts would result in account suspension.
Change their shell to /bin/rbash in /etc/passwd:
bbonds:x:50539:50539:Barry Bonds,,,:/home/bbonds:/bin/rbash
Change the ownership and permissions on their .bash_profile and .bashrc
to root:root 644:
-rw-r--r-- 1 root root 420 Sep 21 13:05 .bash_profile
-rw-r--r-- 1 root root 746 Sep 21 13:05 .bashrc