Here's the inescapable reality about implementing a complete, non-specific language like LUA. IT HAS FEATURES. What do I mean by that? I mean it has a lot of features, it's meant to enable someone to whatever they can conceivably think of to do with it, that's within their computers capabilities. Now of course there's lots of good in it for Powder Toy, we can integrate dynamic functionality(sync a clock in-game with our computer clock for example), but it can also do a lot of bad. Like what? Like send us a to a bad url, crash our computers, download and execute a virus, exploit running programs, delete our files... for all the good, there is bad.

So... what to do? My thoughts, pop up a permissions box for anything trying to access the following:
-The internet(sockets)
-Files
-Command Prompt
-Win32 Functions
-Load Libraries
-And whatever else could be dangerous

Download this script for a simple demo of ONE thing someone could do. This will not harm your computer, just don't run it before saving any creations you're making. To run it use dofile(string) or assert(loadfile(string)).