There's a number of applicable permissions, like set own password and set own properties. But I think disabling set own password implies a user can still request a password reset, it just sends a link then.
I'd solve this visually, by disabling parts of the UI, either in the Plone backend or stripping it out with Diazo (or even hiding it in CSS) - all depending on how hard your security requirements are.