[Exim] Restricting outgoing mail

I am currently configuring exim on a server used for hosting customer
sites. However at present exim access is denied to users to stop them
abusing options like PHP mail() to send out spam (which has been abused
previously). Now I would like to re-enable exim but deny a list of users
access to setting the CC: and BCC: headers, is there any may to do this?

Vince.