Another option is to not allow them to write their own queries. Give them access to only execute stored procedures that you have vetted.
If they need something else, then they would have to request a new procedure be built which would have the necessary protections built in.
Or, you could provide a copy of the production system they can run their queries against. In most cases, they wouldn't need access to real-time data. If they need access to real-time data you could setup replication and grant them access to the replicated database.
If they don't need real-time access you could use database snapshots (Enterprise Edition), mirroring with database snapshots, backup/restore to another server or SAN replication/mirroring/snapshots.