Have you ever tried turning off "sending referrers" in your browser, then trying to work in Wordpress? You can post and edit, but everything else you try to do gives you the message, "Sorry, you need to enable sending referrers for this feature to work." They have a whole wiki entry devoted to it: Enable Sending Referrers « WordPress Codex.
Here’s their explanation:
All the pages within the admin area remain secure, without the nuisance of your having to log in to each page individually. Any additional admin page you choose can verify your status by checking to see which page you just came from.
Knowing that browser referrers can be easily modified, this doesn’t sound like a particularly effective security mechanism to me. Someone should really tell them about sessions and cookies if they are still using referrers 
P.S. Wordpress still rocks the open-source scene! 