You could copy your server php.ini to their public_html directory then add mail to the disable_function's directive. If you set the php.ini ownership as root, that *should* prevent the user from removing or modifying the php.ini file.
Have anyone noticed php.ini will work only on the folder in which it is, not on sub folders. When cpanel use phpsuexec, it worked for sub folders too. With suPHP, i think php.ini only work on current folder.