The first thing I would do would be to set Public authority to *EXCLUDE. You can also look into exit programs. You can write you own or look into a commercial application.
This thread may help:
Also you can check :
We control access from our interactive subsystems. In QINTER, for example, we add workstation names that DO NOT begin with QPADEV*. So, if someone is not assigned a workstation name, they will not obtain a signon for our system.