Following this question, I'd like to know if there is a way to override that new rails behaviour. I run into a security issue with a forgotten view, that was suddenly exposed although the action was not defined in my Controller. I think it'd be better to stop Rails from rendering those not-defined actions and after that cleaning my unused views.
Change your routes for that controller to not route to those actions.
resources :users, :except => [:index, :destroy]
resources :sessions, :only => [:new, :create, :destroy]
Those routes will become non-routable even if the views exists, you can then deal with the views as needed.