I have two users A and B. User A can use Toad but user B has 100% toad security restrictions (i.e. B cannot access Toad.) So if user B logs into Toad and he gets blocked; however, user A can log into Toad then go into the Editor and type
connect user_B/ some_password
Now user A has a connection to Oracle using user B's connection. Can Toad provide security for this action?
Normal Oracle behavior and unrelated to Toad.
Concerning the issue of being able to login in as a restricted Toad user to by non-restricted Toad user through the Editor window in Toad, the answer is, "No, Toad Security CANNOT prevent this." Please keep in mind that Toad security only controls Toad and buttons and features in Toad. Once you are logged in, you are in Oracle domain and Toad security does reach that far. In other words, non-restricted Toad user can do the same in SQL PLUS (Oracle's native tool.) Even the restricted Toad user, who can't access Toad, can launch SQL PLUS and still get into your database. The point being, restricting Toad access does NOT mean restricting Oracle access. Security must be administered at the Oracle level.