My new suggestion for wording for requirement 3:
Must be deployable to IIS and Apache without requiring actions by the server administrator in a configuration where the user can upload static files, run serverside scripts (such as PHP, ASP, and CGI), control http headers, and control authorization, but only do this for URIs under a given set of subdirectories on the server.
Not sure if there is a better more technical term for "URIs under a given set of subdirectories on the server". The idea is that the user might only have access to control "/~sicking" and "/trip-planner-2010" and resources under those directories.
/ Jonas
