Why don't you disconnect their session when you change a users access to sensitive data, that should remove any temp tables they've created.