I am not sure whether this is a bug or a system characteristic but in
all versions from 5.1 up to 6.1 (the only ones I have used) and in
alpha and i386 platforms there are two different routes to the shutdown
command. The first is /sbin/shutdown and causes no problem (only root
or CTRL+ALT+DEL may run it); however the other command: /usr/bin/shutdown
may be called by all users (even remotely) with the only condition of
being asked for their password before executing.
One can easily imagine the headaches it has caused for the last days
in our department which has an NFS server for more than fourty users,
two of them newbies used to turn off Windows when loging out and who
had in their PATH /usr/bin but no /sbin.
Once you know, it looks easy to solve.
This is a feature of pam_console ; see 'man pam_console'
for more info.