Clear the session vars if they're stored in there, redirect the user to some "goodbye" page.

But basically, if it's a windows authentication based app, then you can simply wait until the user closes his window.