cgi-bin directory in Apache configuraiton lacks AllowOverrider All
When ISPconfig generates an Apache configuration file with CGI enabled, it creates a section listing options for the local directory that is mapped to /cgi-bin/ from the URL.
This description has two directives: Allow from all Order allow,deny
However, it needs another one, without which access restrictions to /cgi-bin/ via local .htaccess file (e.g., password protection) will not work: AllowOverride All
This directive is already present for the main web directory, but is omitted for the /cgi-bin directory.
Please, add it to the appropriate template. Alternatively, change the AllowOverride for the whole virtual host from 'None' to 'All' (which is, IMHO, a worse solution).