This should have been an easy problem to solve
I cannot recall if it was possible to restrict access to sub-sets of members of a single VAXcluster
So you set up the system "login" script (whatever the VMS equivalent of /etc/profile is) to print out "this system is used for university payroll / administration, authorized users only" which would have been sufficient to stop this guy from trying to use it. Better yet, have it check against a list of users authorized for that payroll system and log off those who are not. I'm sure there's probably a way around that, but we're not trying to keep hackers out, we're just trying to make sure people don't accidentally do something they shouldn't.