We have a SQL Server 6.5 instance that has yet to be upgraded to SQL 2000. (Long story). Anyhow, I'm trying to revoke SA permission from the local administrators group, which SQL Server grants by default during setup. I followed the instructions on BOL, but no luck. Here is what I've tried.

Changed my desktop client from named pipes to TCP/IP
Verified the server client allows TCP/IP and named pipes (needed for old applications)
Changed security mode to Mixed
Created a local group called DBA_Admin
Granted DBA_Admin SA permission through SQL Security Manager
Revoked SA permission from Administrators group (local admin group on server)
Added my domain group to DBA_Admin

Unfortunately someone who is a member of the local administrators group, but not DBA_Admin group, is able to still access the SQL Server instance from Enterprise Manager using a trusted connection. Why???????????

Thanks, Dave