Why is a project visible in the select project list for a user who does not have appropriate access rights?
This behaviour can occur when MPX is enabled.
As a new project is created an update is sent to all clients currently logged in adding it to the available project list.
There is no security risk with this behaviour. When the user tries to open the project, it creates a new call to the server, which at this point does a group/security check and informs the user that they are not authorized to view this project.
The workaround is simply to restart the client which will remove the project name from the list.