Setting Permissions of Directories under www for High Security

The situation is this:
Assume there is a directory called "wwwsub" under www root,
and there are 2 files inside it: "index.php" and "bye.html",
and the owner of wwwsub & the 2 files is "tom".

Now the question is:

For Internet users,
They can see bye.html & can see result of index.php via browsers.

For ALL Shell users(except root),
They cannot read/write the code inside index.php & bye.html.
"apache" group (has only 1 user: "apache") can read/write the code inside index.php & bye.html.
File owner "tom" can only have write permission(NOT Allowed to READ) on index.php & bye.html.
They cannot read the content of wwwsub.
"apache" group (has only 1 user: "apache") can read/write wwwsub.
File owner "tom" can only have write permission(NOT Allowed to READ) on wwwsub.

How can I set the permissions for wwwsub, index.php & bye.html such that
Internet users can browse the site but the restrictions for Shell users can also be enforced?

There really is NO WAY you can stop shell users from reading those files unless you have just a single web site on the server. The most secure way would be to implement SuExec with minimal permission.
Next time you post something like this, it's better off that you show us the ls -Al output instead.

Actually, I have not got such website setup yet.
It's just a plan by my boss.

In fact, my problem is:
Is it possible to turn off all permissions for Others (i.e. chmod ??0) and make "apache" as the file's group, but still allowing Internet users to be able to see the site?

>> make "apache" as the file's group, but still allowing Internet users to be able to see the site?

Yes. But if you have multiple sites you just can't do it effectively because every local user can simply write a script (which will execute under apache) to mess around with each other files.