The standard answer would be to use a restricted shell, making this the last entry in the password file for users in that group. As you can run external commands from things like vim: http://web.physics.ucsb.edu/~pcs/apps/editors/vi/vi_unix.html
this does not seem like a great idea if you are trying to produce a restricted environment. The first thing a user could do is use the commands in the above link to run /bin/bash and he'd be outside the restricted environment.
A better idea would be to put each user's login into a chroot jail or perhaps a lightweight container (so if they break anything it's their own container). Have a look at Docker - http://docker.io .
