We have several thousand customers, mostly students. Many of them have no idea what a setuid bit is, and don't really need to know. This has lead to several hundred setuid or setgid files that really should be set-id. This may not actually be a real security threat (a setuid image file cannot do much) but there is the potential for a security problem.
Also, allowing setuid files means that someone with temporary elevated privileges can (a workstation left logged-on) can easily elevant them to permanent privileges. This can be alleviated by reguilar scanning, but for this you need a lisdt of allowed setuid programs, and if you have decided to have such a list, there are better ways than scanning.
So I have written a little program that can give setuid functionality to customers whose homedirectory is on a filesystem that is mounted with nosetuid. The program requires all setuid programs to be recorded in a control file - /etc/suidrun.rc. Providing such files pass some simple tests, they can be run as though the setuid bit were really working.
The program in available under the GPL from http://www.cse.unsw.edu.au/~neilb/source/suidrun/.
See the man-page for more details.