Autoprivate related question

System

ARCHITECTURE:
Teamsite 5.5 on Solaris
--------------------------
HISTORY:
We are blocking certain 'bad' file extensions on our web servers using a FilesMatch directive in apache

<FilesMatch "\.(asa|asp|backup|bak|bat|ear|war|err|htm~|inc|ksh|lck|LOG|log|new|old|original|out|properties|sav|save)">
Order allow,deny
Deny from all
</FilesMatch>

Certain people in our company don't think files with these extensions should even get deployed to our web servers. I tend to agree. So we're trying to correct the problem after the fact.

We have 650+ OpenDeploy descriptors so it is impractical to try to implement this type of filtering here. It would be a maintenance nightmare.

So I've been looking at autoprivate.cfg. Doing some testing, it looks like I've got a course of action that will work.
---------------------------
SUMMARY:
1. Put rules in autoprivate.cfg
2. iwreset
3. move files with bad extensions from staging area to a temporary directory and then back into the workarea at which point the 'P' icon appears
4. Remove files with bad extensions from the STAGING areas <----see below
5. Remove files with bad extensions from the web servers

Regarding step 4, it doesn't look like I can manipulate the STAGING area filesystem.
$ cd /default/main/tstp/Dave_site/STAGING/
$ rm testme.rodney
rm: testme.rodney: override protection 555 (yes/no)? y
rm: testme.rodney not removed: Read-only file system

--------------------------
QUESTION:
Has anyone written a script to remove files from the STAGING areas?
Does the course of action above sound reasonable