I'm using Drupal 4.7.3. I have enabled upload module and allow only some extensions e.g. only txt html zip.

Using a user account, I still able to upload jpg and gif files (tested with non-spaced filename of these two extentions) while others e.g. bzip are appropriately rejected.

Please check this out.