It is possible for a remote user to log into root via su even when
/etc/security/access.conf is set up to deny access to root from remote
locations. (I am not sure whether this is a problem with su or with pam.)
This is the normal, expected behaviour. If you wish to deny root shells at all
from remote hosts, you can change your PAM configuration to use the
pam_securetty module for the 'su' service.