In principle, that approach should probably work. However, a couple of things to note:
Clearly, this requires putting all untrusted code into the with-scope. In practice, that might become rather unwieldy.
Moreover, it subtly changes the meaning of outermost var/function declarations contained in that code, which now become local instead of being properties on the global object. Undeclared variables, on the other hand, will still end up on the global object. This may break some programs.
Because of the insane semantics of 'with', modern JavaScript VMs give up most attempts to optimise code in its scope. Generated code can easily be two orders of magnitude slower for something that has a 'with'.
So overall, I wouldn't recommend this approach. You are far better off with SES or Caja (not sure in which sense you call those server-side).
(It's also worth noting that ES6's module loaders will provide a cleaner way to sandbox the global object. But it is hard to tell when those will become available. Not soon.)