Question : tomcat vulnerability finding

I am currently doing some IA security finding for tomcat 5.5, and I received the following request, but I dont really understand the request, can someone please clarify the following below for me.

-start----------
Tomcat Web Server Site (Target: Tomcat Web Site 5.x)
Long Name: web document (home) directory is not in a separate partition from the web servers system files.
Vulnerability Discussion: Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

Checks: Windows: Locate the document root in the administration GUI or server.xml file and ensure that
this is not the Windows system root directory or the web application root directory.
Confirm that this is not the systems root partition nor the web root directory; if it is this is a finding.

-End---------------

Answer : tomcat vulnerability finding

It seems to me like a precausion:

in the server.xml you can define the documentroot
Check server.xml for this entry and make sure it does not point to e.g.

<Context path="/tomcat" docBase="c:/tomcat" />  
<Context path="/system" docBase="c:/" />  

then you could get access to the system directory by calling

http://localhost/system

and access with http://localhost/tomcat/conf/tomcat-users.xml the user password file.