How?

Generally by asking them to paste code into the JavaScript console. Here's an example:

http://sdpcfix.com/security-alerts/facebook-scam-helps-trick...

We should instead remove access to the keyboard, that would be a way more effective way to stop any situation where theses users would cause a security issue.

Seriously, it's not the first kind of attack that appear because users are too naive. At one point we need to trace the line somewhere. Should we also block copy-paste to a file in case they create a batch file?

Greasemonkey has similar protections around copy-pasting userscripts, for this very same reason. It's not so unreasonable

We no longer trust the user for anything, instead we block him completely and we move features on another application. I don't believe that's the right way to do it. This only make him more stupid, not more secure.