you cant prevent them from logging in _and_ show the message. you would need them to be logged in to show the message.
Create an access level that does not allow access to the restricted page if the userActive column is 0
on the login page, edit the authenticate user server behavior, on the third page, click the plus button so the userActive column is stored in a session
create a new access rule that uses the userAccess session and makes sure it is equal to 1.
use that access restriction rule on all of the restricted pages.
on the login page, you can use the security assist show region behavior to show the account disabled message.