Deny logover for industrial it admin group
As far as I know, once logover has been enabled, there is nothing additionally that can be configured inside the 800xA System to prevent logover.
If the workplace was originally launched from an account having "Impersonate" privilege, logover will be possible for any person located at the keyboard of that workplace.
C:\>whoami /all | find /i "impersonate"
SeImpersonatePrivilege Impersonate a client after authentication Enabled
This can be used to allow an unattended computer to auto-login and auto-launch a read only capable workplace. Once a privileged user arrives at that workplace and like to perform privileged work, he or she can do that after performing a logover to another user. This other user does not need to have impersonate privilege.
To prevent logover you must choose from:
a) remove the impersonate privilege from the account used to launch the workplace
b) keep usernames and passwords secret