If you have untrusted users, I think you can safely remove them from the group (As root : "gpasswd -d user group", or use PCC). In fact, you could remove them from all groups, exept their own. Or you can create a different group for untrusted users, such as just "users" for example.
Now policykit and polkit are complicated stuff to study and use. Add to this we still use policykit, whereas the development team has left it for polkit with new commands. I think all was more simple before, when we had just groups and ACL to deal with authorisations. But we can't stay in the paste, can we ?
For more you may want to read the polycikit doc from the developers ? http://hal.freedesktop.org/docs/PolicyKit