Windows 2003 Server SP1
PHP 4.4.1 - CGI Mode

I have a default ini setup for my server, but found one of my customers setting their own php.ini file and then having registered_globals enabled. This concerns me to some extent.

When someone loads their own PHP.ini in their site, does it get loaded at the application level, or the thread level for that site? If at the application level, then everyone in that site can now be access via registered_globals.

Is this correct to assume?

so the real question is, are there any security issues with a single site setting their own php.ini in their site, and can it affect other accounts on a shared server?