When using startx as the command to start your display manager, I noticed that if you lock your session while logged into an environment such as KDE, (3.4 more specifically), the ctrl alt backspace (aka don't zap) option does not get disabled, thus, an attacker with physical access to the machine can zap the X server in which case it will bounce back to tty1 (assuming udev) or vc/1 (devfs) and the attacker gains the shell with privileges of which startx had. Example, a root or user shell.
This is by design, as you mention, DontZap is the solution if that is something you want to do.