Dave,
There are two ways I do this. One way is to shut down web access. Generally the people who need access do so via a fat client and those who need to be locked out only access JDE from the web.
The other way is to use the SQL below to disable users in the F98OWSEC. I use the column SCSECTPE to store a flag that indicates which rows were changed. SCSECTPE is not used in our system. It is blank for all rows and doesn't change.
UPDATE SY910.F98OWSEC -- for E910
SET SCEUSER = '02', SCSECTPE = 'DIS'
WHERE SCEUSER = '01'
AND NOT SCUSER IN ('EXCEPT01','EXCEPT02','EXCEPT03') -- User Exceptions
AND NOT SCUSER IN (SELECT ULUSER FROM SY910.F0092 WHERE ULUSER = SCUSER AND ULUGRP IN ('EXCPTROLE1', 'EXCPTROLE2', 'EXCPTROLE3'))) -- Role Exceptions
To re-enable users I use the following SQL:
UPDATE SY910.F98OWSEC -- for E910
SET SCEUSER = '01', SCSECTPE = ' '
WHERE SCSECTPE = 'DIS'