There are still other ways that can both secure the environment as well as allow for existing applications to run as originally designed.
The real problem here is that instead of suggesting that the user fix his original problem which is a big security hole, we are telling him how he can monitor that hole. The emphasis should be how to migrate out of that situation into a more secure environment.
When we had a similar issue we forced all of the developers to connect via a different firewall which can easily be done by adding a route statement to their ports. Once they were going through that firewall the access restrictions were put into place. The developers had a test machine that they could use to test their applications but the security on that machine was limited so they could not install their own software with out the Administrator password. This way developers could only hit the sandbox environment and could only test production apps with the same security and interface that the users had. It was more elegant and no one had to worry about them running some dangerous query on our production environment.
On the whole people are generally good natured and not out to do harm, but if you give them access then they can mistakenly use that access. DBA's tend to have this belief that when there is something wrong with the system it must be a rogue query from a dev that caused it. I used to be this way too and that's when I realized this is not the best way to build relationships with people.