Would there be a benefit if I made the "Temporary Directory" somewhere outside of the Web Root?
Likewise, would it make sense to make my permanent "Member Photos Directory" somewhere outside of the Web Root?
The logic being that if you temporarily or permanently stored photos there, I don't believe they could be executed from incoming requests over HTTP, right?
It would be best if you could mount /tmp without execute bit so nothing in there can be executed. That way, users can upload executables all they want, but they can never run them because it's not allowed. See http://www.debian-administration.org/article/Making_/tmp_non-executable for more. This one if for debian, but there's probably one for your distro as well.
Isn't there a way to just change the Directory Settings to "Execute = False" and you're covered?
You are taking VPS or dedicated hosting I presume?
Yes, I have a VPS.
Also, it's always a good idea to remove the original upload after you've processed it.
How do I do that?
Can I do that with my PHP script?
And a good security measure is to open all uploaded images with GD and then save them again so as to rid them of any malicious code people may have hidden in there.
Yes, I am currently doing that.