Thanks for the idea.
I have several directories that are being used for this site, but I'm only setting the library environment in those that actually use CGI. I will experiment to see what happens if I add a library for which my excluded user doesn't have authority to the CGI and non-CGI directories.
Followup: I created a library named WEBEXCLUDE and changed the object authority on that library to *EXCLUDE for my user. I then added the directive SetEnv QIBM_CGI_LIBRARY_LIST "WEBEXCLUDE" to each directory entry in the configuration file. After a stop and restart, the result was no different. Apparently the authority on the library only comes into play if an attempt is made to access an object in that library.
I went back and changed the user's authority to the library where my CGI programs are stored, and then I DID see a 401 Authorization Required message when I tried to access any CGI generated page.