I am not sure whether this is a bug or a system characteristic but in all versions from 5.1 up to 6.1 (the only ones I have used) and in alpha and i386 platforms there are two different routes to the shutdown command. The first is /sbin/shutdown and causes no problem (only root or CTRL+ALT+DEL may run it); however the other command: /usr/bin/shutdown may be called by all users (even remotely) with the only condition of being asked for their password before executing. One can easily imagine the headaches it has caused for the last days in our department which has an NFS server for more than fourty users, two of them newbies used to turn off Windows when loging out and who had in their PATH /usr/bin but no /sbin. Once you know, it looks easy to solve.
This is a feature of pam_console ; see 'man pam_console' for more info.