Have you tried:
Create a new group "readers", with "read" userright. Disable "read" rights for "users" group. Put your open content in the $wgWhitelistRead variable (login, main pages, etc); make sure anything sensisitve isn't in $wgWhitelistRead. To "activate" a new account, a burecrat has to add them to group "readers". To "deactivate" a new account, a burecrat removes them from group "readers".
See: http://meta.wikimedia.org/wiki/Help:User_rights LocalSettings.php includes/DefaultSettings.php
I haven't tested this quite yet, but was going to this week for an internal corporate MediaWiki I'm running.
If it doesn't work, let me know, so I can figure something else out. 8-)