1) remove all the rights to the user module and in site.ini policy omit list.
2) login, for instance, to the site admin.
3) as a result: you are allowed to enter (the menus show up) and your user is set as logged in (you are given a session, $current_user.is_logged_in is set)
btw: you can not operate, nor access any other function.
may be a bug or different understanding on wath "log in" means.
did you try to add a siteaccess limitation for the user/login function. Here you can enable login to any siteaccess, if you enable login to only the user siteaccess then users should not be able to log in to the admin.