Each site has a single user for it. Say "Foo Inc." has a site, so the server has "foo" user.
We then have /servers/foo where all OpenACS files are. Each nsd is controlled by deamon tools. foo users can stop, start and restart the service. Also foo user has its own pg database or oracle db. So a full dump of the db will only yield a clean dump in PG. SSH keys are then given to the developers that work on foo project, so foo is passwordless/ no login. We also put the config file in /usr/local/aolserver/config or etc. We also separate the log files in each dir. So each site a its own dir of access.log and server.log. Also the config files are only edited on the top. Much of the config .tcl file are not touched anymore, except in special cases.
This is far from perfect but worked pretty ok on multiple internal developers on a server that has multiple sites. It used to have a shell script in 3.x days, but then I could not maintain it. The above infrastructure was further developed by Hamilton and others.
When I started to use other systems I think moving to /web/foo the log files, ssl, config, etc is a good idea. It s easier to transfer the sites, also easier for a new developer to come in and have all the important files there. What would be good is have each site run a separate user and not the login of the developer.
It would also be good if anyone has the time to make shell scripts to setup things. Its better sometimes to just have a shell script to do things. We normally only need the db user, type of db, user, ip address. I used to have one in 3.x days. CCM also comes with a shell script that make it relatively easier to setup a development environment. I think a shell script to install maybe good for OpenACS. If only someone has time and have good shell script capabilities. I have also seen shell script help the LAMP platform, I help a friend of mine setup one. Its been a while since I touched apache, but just using the shell scripts/make files. It seem to work.