in lsws admin console,
there are 4 choices:
CageFS without suEXEC
"CaseFS" can meet your requirement 1)
however 2) 3)
is not possible in shared host environment which may have thousands of user accounts -- at the time being.
there is a workaround to meet the requirements closely. choose xcache instead of apc, while one copy of opcode cache is shared by all accounts, only admin can see the cache's content.