The user directories that ISPConfig supports is something a bit old fashion for hosting these days. Unless you're at a university, I don't expect anyone to be using this feature. Also, with it enabled, HackerSafe and ScanAlert complain that it's a security vulnerability being able to guess usernames.

The offending lines in Vhosts_ispconfig.conf:

AliasMatch ^/~([^/]+)(/(.*))? /home/www/web1/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /home/www/web1/user/$1/web/$3

How to remove from HTTP vhosts:

First, copy the default vhost configuration file to the customized_templates:

cp /root/ispconfig/isp/conf/vhost.conf.master /root/ispconfig/isp/conf/customized_templates/

Next, edit the new file /root/ispconfig/isp/conf/customized_templates/vhost.conf.master to delete the following lines:

AliasMatch ^/~([^/]+)(/(.*))? {HTTPD_ROOT}/{WEB}/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? {HTTPD_ROOT}/{WEB}/user/$1/web/$3

How to remove from HTTPS vhosts:

For https virtual hosts, ISPConfig does not currently provide a template. Instead, you will need to edit a php file.

edit /root/ispconfig/scripts/lib/config.lib.php:
Around line 1569 or 1603 (depending on version) delete the following lines:

AliasMatch ^/~([^/]+)(/(.*))? ".$mod->system->server_conf["server_path_httpd_root"]."/web".$web["doc_id"]."/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? ".$mod->system->server_conf["server_path_httpd_root"]."/web".$web["doc_id"]."/user/$1/web/$3