You have correctly observed that the phone is live even when a hot desk user is not logged in.  The phone has its own identity.  One reason for this is that a HD user can log into ANY phone where it's allowed, even yours.  So the bigger question is whether you can restrict any station from making IC calls, and the answer is generally no.  Part of this is the idea that you don't want to restrict a phone from emergency (911 in US) calls, so the dial pad must be live.  If you're willing to run the risk on 911, here's a workaround: set the base ext as a HOUSE PHONE to auto-dial a new CALL ROUTING ANNOUNCEMENT that says "This phone is currently locked out".  Then for the base ext turn on HEADSET...this is to sort of disable the hot dial pad in case user tries to dial while on hook.  This solution is still not 100%...if a user dials while on hook, then picks up handset, it will still work.