I would recommend disabling access also. However, you could change his shell to a restricted shell. But it all depends on what binaries he needs to use when logged in (ls, etc...). You could use bash -r as his shell. You will have to find out more to set this up.
I would also recommend using ssh rather than telnet.
If you are talking about a hosting company, then whatever you do there is no use. Anybody can set a CGI, PHP or SSI script to read any file readable by the Apache user (i.e.: all directories and pages of other users accessible through the web, including those that contain database passwords.)
This topic have been brought up here and elsewhere many times, but there is really no solution to this problem until today.