In short: it would be great if, under Admin -> System, in addition to "Enable Web Admin Access", there were also "Enable Web User Access". This (if "Enable Web Server" is enabled) would allow the admin to lock out user access to the web interface. The admin would have to go directly to http://ipaddress/admin to get to the admin interface.
The admin web interface is useful for administration, and checking settings (even on a remotely-provisioned phone), but the user interface is in a tricky situation. IMHO using a user password is too much of a burden on the phone itself. Conversely, not setting a user password, but leaving the web server enabled, would allow for anyone who knows/finds the IP address to mess with user settings remotely. True, it's nothing you couldn't do by walking up to the user's phone, but in any group of 10 or more people, one of them is bound to be a jerk who would nmap the voice vlan and set everyone's ringtone to a rickroll. :)
"Enable Web User Access" would allow admins to poke into a phone's web interface remotely, but would allow for phones with no user passwords to be secure from a remote perspective. I'm getting ready for a deployment, and as it stands now, I'll probably have TFTP provisioning disabling Web Server.