Assumption is that you are using MS Access and have a multi-user environment set up.
First - Absolutely NOTHING is 100% secure.
Easiest solution is to convert your production version of the .mdb to .mde - This will compile your code and not allow the users access to the forms, queries and code that makes your application work. (Tools/Database Utilities/Make MDE File)
This isn't fool proof, but it would cause your co-worker additional effort which might make him/her decide to go bother someone else.
Being that you already know who did this, using the built-in Security wouldn't be of much help.
This sort of "joke" is not something you play on your friends, so you probably have another issue to deal with also.
After creating the .mde, did you open the .mde rather than opening the .mdb?
When using the .mde, the users cannot modify your forms, queries, reports or modules.
Without modifying your Menu Bar to remove Admin functions, the user could CHANGE your startup to point to a different Autoexec but they shouldn't be able to modify the one you have as it should be a form and the .mde prevents them from modifying forms.
You have to do multiple things in order to address all possible threats. Again, the easiest solution is what I've provided above.... I would say you need to modify your Menu Bar, eliminating the Tools option (at the least) and then convert to an .mde.
Group level security is a stronger option, but one that will take some learning to implement properly. There too, you should eliminate the Tools option in your Menu Bar.
I elimated the tools menu some time ago, It seems the perpetraitor made a dummy data base and imported one of my macro's into his DB; then he changed the function of my AUTOEXE to disable certain forms and exported it back into my DB.
I guess the MDE will keep him from doing this again?
The only way to definitively protect them is to convert them to code, but you could try hiding the autoexec macro so your pirate mate can't see it when he browses from another database.
You could also use a network folder that others (but not this guy) can access. If he can't browse to the database he can't do anything with it. Talk to IT about setting up the permissions for you: all legitimate users will need to have read/write access to the folder.