Ah well, I got that wrong. I thought MS would (by the time Windows 2003 Server was released) have been aware that leaving a hole like that would be bad for their already poor security reputation (that they were trying very hard to repair) and done something like automatically killing connections when a user account was disabled. I also though Kerberos tickest expired much faster than that by default - they certainly were much shorter lived on the servers we installed on our customers' sites, that was clear from logged authentication data (I'm assuming the expiry was a small multiple of the refresh(reauthenticate) rate, as that's standard security engineering practise). I guess we must have overridden the default during installation - we did quite a lot of things with group policy, I guess that was one of them.
edit: I forgot to mention that it's a good question.