First, add a field to your users table to store the currently used session ID. This ID is easily accessible from your code. When the user logs in, store that ID.

On every page request, check to verify that the current session ID matches what was stored in your user table. If it doesn’t match, then clear the current session data and kick the user back to the log in screen.

This will not stop the user from using multiple tabs in IE 7 because IE7 uses the same instance for each tab; but it will stop them from using multiple browser instances.

The reason why this will work is that each browser contains it’s own cookie space. Session’s are matched up server side based on a cookie value that stores the session id and is sent back to the server on each request.

Incidentally, this is not a very effective means of eliminating session hijacking; which it sounds like the security audit is trying to prevent. If you need to do that, update your question and I’ll go further.

UPDATE

One way to stop session hijacking is to store a random number in the session and as a cookie on the browser. When the next request comes in, verify that the cookie and session values match. If they don’t then reset the session id variable in your user table. This will force all sessions to log in again. For every page request (post / get) create a new random value. The downside is that pages can not be bookmarked; but that’s probably acceptable.