One could enforce it by looking at the "referer" field in the http headers (yes, we know that it should be spelled referrer, but it is mispelled that way in the standard/rfc). If the referrer is from "somewhere else" then they could redirect the user to the front page.
This is similar to how many websites, such as Wall Street Journal, will let non-subcribers read an article if the user came in via a Google search (essentially, if the http-referer field = google, then the subscriber check is bypassed).
No deep-linking? wow. (Not quite sure how they enforce that rule)