Note I said "for the web"... I'm the fella here who has the happy job of monitoring the ever increasing volume of SQL Injection attacks that hit our sites every passing day. 🙁

In general I'd work on the first principal that an account being used by a website shouldn't be allowed to do anything at all, and then relax it from there, if it's really necessary. But again - the first principal ought to be: "I'll need a lot of convincing that it's really necessary".

However - I do like the line I just read (regarding desktop apps) that said "if my company hired them then they must be reasonably trustworthy." That shifts the blame where it really belongs... The HR / Personnel Department!