I have done a lot of work with security in the Altiris console and trust me when I say that it can be a pain. As far as you are concerned though, you say that you switched him from Supervisors to Level 1 workers. Just to make sure we are on the same page, I will make the assumption that these are the out of box roles and not custom ones. With that being said, you actually can see a lot of the same things in Supervisors as you can in Level 1...or so it appears.
Out of the box roles do not have any permissions removed for things such as the ability to read Console menu items. Even in the Enhanced console views, you will be able to see most of everything. Once you start going through some of the menus, you will be hit with "Access Denied".
So, in essence, the Level 1 role may be able to "See" more than you want them too, but they can not "Do" much. If the "See" part is concerning you, I would recommend cloning the Level 1 role and removing some of the permissions to Read objects such as console menus and the like.
Also, make sure you look at what Igor has said. I have tripped myself up on this before when people are nested in groups which are nested in roles, etc.
Last, changes to a persons role are almost instant. Once you move them from Supervisor to Level 1, and click Save, they are now Level 1 once the refresh their IE window. Even if they just right-click something, if permissions changed on what is available through the right-click, it will be apparent immediately. There is a way to clear out someones cache via SQL directly, but I dont think that is necessary in this instance.