It is possible for a remote user to log into root via su even when /etc/security/access.conf is set up to deny access to root from remote locations. (I am not sure whether this is a problem with su or with pam.)
This is the normal, expected behaviour. If you wish to deny root shells at all from remote hosts, you can change your PAM configuration to use the pam_securetty module for the 'su' service.