Yes, I used the Access Pages Manager to secure the pages and it does work in all other circumstances - if the userVerified value is 0, the user can't access the pages and if it's 1, they can. When the user first registers, their account is set to 0 and when approved it changes to 1. In Access Pages Manager, I have a Verified User rule applied to the secure pages as follows:
Restrict if: <?php echo $_SESSION['SecurityAssist_UserID']; ?> =
Allow if: <?php echo $_SESSION['userVerified']; ?> = 1
Restrict if: <?php echo $_SESSION['userVerified']; ?> = 0
What seems to be happening is that, when the user registers, it's logging them in at the same time and before their account has been approved, they can access the secure pages. However, if they logout and then try to login again, they can't, until someone approves their account.
It seems to be a similar issue which was reported in the post here: http://www.webassist.com/forums/posts.php?id=33668 however most of the replies are in PMs so I can't see how or if it was resolved.