After only completing and submitting the signup form, users are instantly logged in and have full access before payment, before even clicking on the paypal subscribe button. This is not a Paypal cancelled payment issue, it's not even getting that far. They have a created account with full access immediately after form submission.
I use Membership on a WP/BP installation. I even have "Registration Disabled" in my Network Settings. I don't have / offer any free accounts, only 2 possible subscriptions and both are paid. Membership does consider this account "Inactive" and if they log out, they cannot log back in. However, I woke up this morning to a real live example. Someone had created an account and even created a blog and posted several spam messages. That's what prompted me to start testing how this could happen. My site is not even launched yet. I need to get this sorted before I launch soon.
I made a video for reference, http://www.screenr.com/zvZ8