Add another field to your users table: UserApproved.... Give it a default value of 0 and then in the admin back end allow the admin to update that field with a checkbox.
Then on the login page update the Authenticate User server behavior to store the UserApproved value in the session.
Finally update your logged in rule to make sure it checks the saved session variable and blocks users that haven't been approved.