This'd take some work. but you could configure multiple IP's (or NICs) and do quasi out-of-band management.
So, each server has two IP's - a 'public' one (The current one, registered in DNS etc) and a 'management' IP which isn't registered in DNS (This is important!!). When you want to do maintenance just disable the public IP.
The ideal would be two NIC's running on two different VLANs, but it'd still work on a flat network.
Other than that I don't know of a generic way to disable logons, unless you can do something application specific (I.e., disable a share, or disable terminal services if it's a terminal server etc)
Problem is, it kind of makes no sense. Try and "define" what you mean - do you mean that the computer shouldn't provide any services - what about websites, etc? Do you mean non-admins shouldn't log on at the console? Remotely? Do you mean file shares should be inadmissible?
I don't see how it'd be feasible for MS to provide a switch to do what you need as it's so dependent on individual use cases.
Access list on the Cisco switch it's attached to. Easy.
What do you mean it's not a Cisco switch?
I'd strangle anyone making substantial network changes for such a temporary thing. I realise he doesn't have to commit them, but still.
Besides, he's probably going to be accessing it from the same IP range as his users if he's VPNing in.
Terminal Server, why didn't you say? What OS is it?
http://blogs.msdn.com/b/rds/archive/2007/06/15/introducing-terminal-services-server-drain-mode.aspx
Does that point you in the right direction?