In my experience once someone with malicious intent has physical access to the hardware regardless of platform or OS all bets are off regarding security.
However you can password protect grub entries in a way that would require it before loading that specific entry by adding a new line after the title line for each entry you want to protect.
password yourpasswordhere
Or a better way is to hash your password by entering the grub shell and then issuing the md5crypt command and following the interactive prompts to generate a hash and then adding that as above but with the hash in place of the plain password preceded with the -md5 flag
so
password -md5 generated password hash
I'd recommend the latter method so that your grub passwords aren't discovered if someone views menu.lst
As well as on the boot line for single user mode you need to add the same string in the first section of the grub config to prevent people entering the grub interactive shell and modifying the default entry to give them single user mode etc.
As usual all disclaimers apply when editing your bootloader config, read the manpages first !
This still doesn't prevent the machine being booted from removable media unless you also lock down the bios and/or the boot disk could still be mounted on a different machine and the grub config edited to remove/change the passwords but it is a step in the right direction.