You could use server validation to validate the file size after it has been uploaded, and delete it if it is too large, but actually blocking the upload is difficult. You could set the max_file_upload in the php.ini to 2M and they couldn't even upload the file in the first place (it will behave as if the field was blank).