Eric Prévost (3/25/2015)
SETUSER WITH NORESET doesn't prevent anything in SSMS.After doing the SETUSER, the developer may not be able to do a SETUSER to revert back to sysadmin permisions, but he can right-click in the query window and select "Open server in object explorer". He would automatically get a new connection with sysadmin security context.
The question explicitly mention SSMS. Considering this, the answer should be that there is no way to prevent it.
I see your point here, although I don't reach the same conclusion. Doesn't this turn on what credentials the object browser is using? Assuming that the sysadmin came along and found that the dev had already started SSMS authenticating to this instance with the dev's credentials, the posted answer should stand. But this is not stated in the question: for all we know it has sysadmin creds. Therefore, without rejecting the answer, I now think that the question is incomplete.