In short: it would be great if, under Admin -> System, in addition to "Enable Web Admin Access", there were also "Enable Web User Access". This (if "Enable Web Server" is enabled) would allow the admin to lock out user access to the web interface. The admin would have to go directly tohttp://ipaddress/adminto get to the admin interface.
The admin web interface is useful for administration, and checking settings (even on a remotely-provisioned phone), but the user interface is in a tricky situation. IMHO using a user password is too much of a burden on the phone itself. Conversely, not setting a user password, but leaving the web server enabled, would allow for anyone who knows/finds the IP address to mess with user settings remotely. True, it's nothing you couldn't do by walking up to the user's phone, but in any group of 10 or more people, one of them is bound to be a jerk who would nmap the voice vlan and set everyone's ringtone to a rickroll. :)
"Enable Web User Access" would allow admins to poke into a phone's web interface remotely, but would allow for phones with no user passwords to be secure from a remote perspective. I'm getting ready for a deployment, and as it stands now, I'll probably have TFTP provisioning disabling Web Server.
Configure Multicast Paging on the Cisco IP Phone 7800 Series or 8800 Series Multiplatform Phone
The Cisco IP Phone 7800 and 8800 Series Multiplatform Phones provide voice communication over an Internet Protocol (IP) network...
Add Call Park on a Cisco 7800 or 8800 Series Multiplatform Phone Key Expansion Module
Call park allows the user of the phone to put an incoming call on hold so that the call can be retrieved on another phone. A call is park...