Last night in #oracle, someone new to Oracle had some confusion with the SYSDBA privilege. I proceeded to dropsomescience on him, but here's a basic primer:
Only a user with the SYSDBA privilege can startup or shutdown an instance.
The oracle OS user can "connect / as sysdba" without providing any further authentication. This is why you want to restrict access to that user as well. In fact, that user (and probably anyone in the dba OS group) can "connect sys/not_a_real_password as sysdba" and it will always succeed. Beware!
When you connect AS SYSDBA, you'll be logged in as SYS, regardless of what user you originally were connecting as.