Hi Venu,
There's no way that in a standard system a user receives authorization for infotypes 'for free'.
Could it be that there are some system settings interfering with the standard authorization check mechanism?
Have a look at the following parameters (in RZ11):
auth/no_check_in_some_cases&
auth/object_disabling_active
In transaction AUTH_SWITCH_OBJECTS it is possible to deactivate specific authorization objects. Can you check whether perhaps the check for P_ORGIN is deactivated?
Goodluck!
Dimitri.