I have to wonder why it isn't such that all you have to do is either delete, or cause to be deleted, the errant front end, or invoke some sort of decree from on high that makes the errant user take care of the problem. Reissuing the fe so that only authorized ones can connect won't stop the errant fe from connecting. Perhaps put a validation rule on one or more login record fields that will prevent said user from connecting while you code for this problem in your new fe that you'll release. I have to presume that he/she cannot modify be design to remove the validation. That being said, it seems like a personnel issue when you get right down to it. Can't imagine why it's not taken care of directly first, then by way of new fe design.
The more we hear silence, the more we begin to think about our value in this universe.
Paraphrase of Professor Brian Cox.