Hi
thanks for the info - really helpful.
We have persued an additional route: we have a launchdaemon that watches /var/authd.log for any changes. if it detects authentication from a user that is not the logged in user, it runs kdestroy -p adminusername
With some robust testing, this seems to work effectively enough for us at present. The machine overhead is minimal (we already watch log files for other tasks), and we are comfortable deploying this across our 3500 Macs (casper ftw!).
Am happy to share the code, if others are interested.