I should know how to do this ...

It isn't as simple as commenting out vc7 in /etc/securetty, right?  The 
persistent offenders would try to start another X session on a different vc.

Is there a trick I could add in /etc/pam.d/login or one of the /etc/pam.d/gdm* 
files perhaps?
-- 
Regards,
Mick