Hi Ashley,
One thing to be aware of is that there is no hard link between a menu and it's items and a browse/form entity in the way you are thinking.
The menu is just that. It's a bunch of links.
Setting a menu item to only be seen by a particular user filter doesn't affect the form itself, it only affects that menu item.
So it's in the form itself that you muck about with the security for that form.
If someone is able to access a form when they shouldn't be, then we probably need to go into more specific details about the issue.
* A good way to test this is to, on login, set a made up session variable to one, like .. p_web.SSV('oktoaccess:ContactForm',1), and then on the form, set the special security to check for that particular session variable being 1 (remove the level specific check).
That'll help you understand a little more what might be happening.