CVS newbie - I want to make a new CVS installation secure...

[Flossie]

Hi, I'm new to CVS - at least from a setup perspective (I've only been a 
bystander before now). I have some things that I want to configure to be 
more secure than they currently are - first, here's what I've done so far:
I have a new Mandrake Linux 10.0 installation, CVS installed following 
the conventional recommendations. In particular:
    CVSROOT=/usr/local/cvsroot
I've set up several users, made them members of a cvs group, etc etc.

My client is TortoiseCVS running on windows XP. The first thing I did 
was create locally c:\Projects, which is the local root point which will 
correspond to CVSROOT. Within that, I created (as a test) a folder 
called 'current'.
Then I did my first test - do a cvs checkout, pointing at the cvs root 
(/usr/local/cvsroot) - of course I didn't expect anything to happen 
since no files are yet in the repository. First scare came when my local 
'current' directory disappeared - turns out TortoiseCVS is set to 'Prune 
empty folders' - probably the worst preset ever for newbie users! ;-)

1) However the first real problem I have is that a CVSROOT folder 
appeared locally - this must have been created automatically in the 
/usr/local/cvsroot folder. This has all sorts of files with settings for 
controlling various CVS behaviour.
a) I don't want CVS users to be able to change these
b) Neither do I want them to see all this and wonder what it's all about.
How do I stop the CVSROOT folder from being checked out when a user 
wants to get the whole cvs tree? (How do I hide it?) Or can I safely 
change the permissions in some way so their CVS checkout doesn't have 
access?

2) I'm suprised how much CVS docs emphasise the fact that multiple users 
can check out the same file and CVS can resolve conflicts as checkins 
occur. However there are problems with letting users resolve conflicts 
(they can get it wrong), and I doubt a system can be 100% foolproof at 
deciding that an auto-merge is safe (in which case CVS can get it 
wrong), although the chances of error are very small.
There are other reasons, but basically, can I disable multiple checkouts?

3) Can I stop the general users from performing things like code 
branching? Stop them from removing files?

Are there any other tips on tightening up CVS security? Not security in 
the sense of SSH, etc, but once a user is 'in', limiting what they can do?

Thanks in advance...