I have a unix box which runs as a webserver and ftp server. I have a user account for a friend and while I trust him, I noticed that he can view directories above his own "web" folder which is his default directory.

I'm still trying to understand users/groups and privileges so bear with me if this is merely a matter of changing his group permission settings. He is in his own group called "web" so he's not confused into the local users group. Can I restrict this group to only view his "web" directory and lower?

consider chroot

man chroot will give you the syntax.

Good question...
in UNIX the system privileges work this way:
1. first system checks if the owner has the rights, if he/she does no other verifications will be performed.
2. then it checks the primary group that user belongs to if the right is granted no other verifications will be made
3. the same with other groups he/she belong till "others" or "world permissions will be hit.

there is chmod command that allows you to control permissions. For directories there is a "sticky" bit that means prohibition to delete files belong to other.

It is kind of big subject. Get "UNIX Essentials and UNIX Core" DVD it explains all this stuff.