Like I said before this is kinda hearsay, haven't tried it myself, but I guesstimate it'll go like this:
Add group and passwd, add users as member to group, mkdir dir and chown dir to group.
Now users that are member of group can chgrp to it. For using PAM /etc/security/access.conf could provide coverage denying by host, but if you got much users (also dyn. IP's) this will be very cumbersome, better deny by username. There's a PAM module that can read usernames from a file (like ftpusers), maybe add that to the PAM stack when users do chgrp.
Plz read some docu before shooting yourself in one of your own extremities of choice: all about groups
(part 4) and the Linux-PAM SAG
*And no, I haven't got the thread about this all but I told you it's on this site, so just search, it's not like you gotta wade tru all of the net rite?