REGISTER or login:
What can they do from a command line that causes any problem? If there is anything that they have authority to do that causes trouble, then that's the problem that should be solved. A system shouldn't be vulnerable just because a command line is available. Nowadays, many users are far more familiar with other interfaces than with AS/400 command lines (that shouldn't be a problem to begin with). Commands can be run from a PC (or even from home) without ever seeing an AS/400 command line.
However, if the command line is your concern, your only two real choices are to run CHGUSRPRF USRPRF(profilename) LMTCPB(*YES) for every user you want to control or to set *PUBLIC *EXCLUDE for every command you want to control. There are approximately 2000 commands in i 6.1, with additional commands in most products you might install plus any commands that might be created on your system. (And excluding users from commands might cause some of your programs to fail, and each future upgrade will require fully reviewing command authorities again.)
Neither choice will do much to secure your system.