1. You would still need to enable SSH for the user -- like you would regularly do it. It just that would not see anyone on the server but themselves, and their ability to do any damage (or to discover any info they shouldn\'t be able to discover) highly diminished.
2. Yes, one set of binaries for all.
3. Wait for CageFS 3.0 -- should be coming out tomorrow... or I will start firing my developers