<dict>
<key>LogoutHook</key>
<string>/sbin/newreboot</string>
<key>PowerOffDisabled</key>
<string>true</string>
</dict>
Essentially, this disables the "Reboot" and "Shutdown" buttons from the login window and runs the script /sbin/newreboot. The newreboot executable is just /sbin/reboot copied and renamed. Then I changed the permissions on /sbin/newreboot to 777. Renaming the executable and changing the permissions is essential. You must change the permissions for it to run as a loginhook and you must change the name or repair permissions will change it back to defaults.
This might work if you change the group on newreboot and set the gid, but I haven't played around with that. Changing the permissions to 777 works and but still keeps non-root users from ssh-ing into a box and rebooting it. I'm still working through this, so if someone finds a better, more efficient way of doing things, let me know...
[robg adds: Please, exercise extreme caution if you're going to try this or anything like this. Messing around with root's permissions and functionality is a good way to turn a healthy machine into one requiring some troubleshooting work!]

