Who's online is based off what script they are looking at.
If they already had it on their screen, then they aren't kicked out until they refresh or click somewhere.
But the authenticate() function takes care of this at the top of every script. There is absolutely no profile information stored in a cookie in any way, shape or form. The cookies have thier user number, their language, etc...
If they have a link to something that they aren't supposed to see - Who's online will report the real location - but what the user will actually be seeing a not_right() message stating that they aren't authorized blah blah.
A banned user will often keep clicking everything to see what they can see. The who's online will show them looking at stuff. But if it was a
username ban they will be met with a "you are banned - Reason:" message on every page, and won't even be able to logout.
If it's an IP ban - well, in this day and age banning by IP address is pretty worthless. It's too easy to use a different IP address. But IP bans can still view and do everything - they simply cannot post.
A group change is instant (or as soon as they click somewhere/hit refresh to view something else).... hence why the myPaymentPal addon can add a user and give them instant access to hidden forums instantly after payment is made.
But the who's online page isn't really a good indication of this type of stuff - that only get's updated when the user refreshes/loads a page - and the location that YOU see is only based off the script they are viewing (the URL) and not what they
actually can see.