[sudo-users] Disabling "sudo su" but allow everything else?

[Jimmy Crackcorn]

I know it's not the preferred way to go about doing things but I've
got a group of people that ssh into systems with a designated user
account and I want to allow them to do everything on the system other
than doing a 'sudo su' and 'sudo su -'.  I've tried the following but
can't seem to get it to work:

  User_Alias      OKGUYS = userone, usertwo
  Cmnd_Alias NON=!/usr/bin/sudo su, !/usr/bin/sudo su -
  OKGUYS ALL = NOPASSWD: ALL, NON

Is there a way to actually do this?

Cheers!