Taken from the release notes:
[snip]
To grant access to a user whose Microsoft Office Outlook is configured for cached mode, but to deny access otherwise:
The ProtocolSettings attribute on the user object in Active Directory stores client access settings.
This attribute is a multiple-valued string property, where each string applies to a different protocol. MAPI access can be restricted by manually adding the following string to the ProtocolSettings attribute using a tool such as ADSIEdit:
MAPI§§§§§§§§
The eight § separators define exactly nine fields. The fields have the following meanings.
MAPI
Specifies that this string contains settings that apply to the MAPI protocol
0 to block all MAPI access; 1 to determine MAPI access based on Bool2
0 for no effect; 1 to deny access to non-cached mode Outlook clients
Remaining 6 fields
Currently not used
If there is no MAPI string in ProtocolSettings, all MAPI clients are allowed.
Note:
The access restrictions specified earlier do not apply in the following cases:
The client is an Exchange component (for example, the mailbox moves work correctly regardless of the MAPI access settings for the mailboxes) or the client is doing delegate access to the mailbox.
If the MAPI string does not have the eight separators and conforms to the expected data types, the behavior is undefined. The ProtocolSettings attribute is cached in the MBICache and in DSAccess, and these caches may delay the time that is required for a change in the ProtocolSettings to become effective.
[/snip]
Unfortunately, it doesn't handle the situation very "nicely". It will simply deny access to anyone trying to connect in with a non-cached connection.
Many thanks to anonymous commenter, "JC", for the tip on where to find this.