I thought you were going to say that. You misunderstand the distinction between authentication and authorisation.
If they've got the correct username/password then they are authenticated. As I explained above, you should use LDAP search terms to restrict staff appropriately.
As for Authorisation, the out-of-box thing is that you've got View/ZenUser once authenticated.
If you *really* want to do that, then you need to set a different default role, and you need to change the Zope permissions as I explained above.