We once logged the inability to actually turn off REST as a bug (SOS-DEF-338), but it was dropped as being designed behavior, more or less. Browser REST requests will still be honored even if the service is turned off, if you are logged into Jama. This is because the Jama front-end makes REST calls for some of its functionality. Making the request from anywhere that doesn't have a JSESSIONID cookie should show the standard 'REST is disabled' message or a 404 or whatever it's supposed to do.You make a good point about the documentation saying nothing to this end. I'm submitting a documentation task to clarify this; you should expect that update to be visible in the next Standard release.
HEADQUARTERS|135 SW Taylor Suite 200, Portland, Oregon, 97204