If they only need to update the website through ftp, then you don't need to make them regular users. If they have accounts because they use their account to produce the changes (rather than offline), then they will need normal access to perform change the website. You can have a shell running in a jail. This would mean providing a scaled down version of the system inside of the jail.
You can have a non-anonymous ftp server running in a jail, and make these two people guest users.
This link could be a starting point for you:
http://aplawrence.com/Bofcusm/1444.html
Having read access to /etc is normal, as many programs require read access to the configuration files, such as when they login, their home directory and default shell are read from /etc/passwd.
If you put them in a ch-rooted jail, you need to be careful which commands you include. For example, with the restricted shell, the '/' character isn't allowed in pathnames. But just executing a script will remove the restrictions. Starting a regular bash shell, if you allow it would also remove restrictions. The restricted shell is intended to be used to run a server in a jail. It is insurance in case the service crashes.
Most distributions have security settings, and the highest is often called 'paranoid' settings. This may even restrict users from accessing man pages.
Also, if you have a storage partition mounted, such as an external vfat drive to store mp3's for instance, make yourself the owner and group owner of the partition, and use the 'noexec' and 'nodev' option.
Also, you can tighten up the password policy. This way, a user can't choose a weak password. This can help prevent a third party from guessing the passwords of one of the users.
If the strictest security level isn't enough, and they can't get their work done in a jail, maybe you don't want others accessing your computer in the first place. You would probably be safer in the long run concentrating on security issues in general, such as removing programs and commands that a web-server doesn't need, removing unnecessary suid programs, not running any services like mail that have shell hooks. Scanning your machine looking for open ports.