OK we went back to the office and reproduced the strange issue as blogged yesterday.
Now, added the person to the Deny Access Group. The Person Doc and mail file are still on the server at this stage.
In Domlog we now see this, the constant device attempts at synching with Traveler show Access Denied, as expected.
So now we remove the Person Document to simulate the strange issue we noticed and we now get this.
Opening one of the log documents show a now apparently Authenticated user and Request fulfilled messages in Domlog.
The no-longer-present-in-the-Directory user's iPhone continued to hammer the server with requests until the manual removal of the Active-Sync profile from the device finally silenced it.
Wonder how many Organisations have this exact scenario going on but are just unaware of it because they don't have http logging (Domlog) set up or just don't ever check it?