Don't forget to disable registration altogether, otherwise a user can use /default/user/register link to add himself and thus may have access to things you don't want him to
add the line:
auth.settings.actions_disabled.append('register')
in your model
