I need a couple pointers to the family of files that control
who can exec() processes.  The objective is to limit this
functionality to root and all other users to fork().  Similarly
taking away the limit of only root being able to bind to the low
ports (<1024).  How easy/hard are these mods?

Objective:
project to build a maximally stripped and limited firewall
type machine.

Is it worth my time?  Any counter arguments as to the merit
of such a practice?