Once upon a time, AAA command authorization in Cisco IOS queried the TACACS+ server for every single command a user entered. Rules have changed drastically in the meantime (at least for IOS release 12.4):

• Non-privileged show commands are executed without TACACS+ authorization. Privileged show commands (show running or show archive log config) are still authorized.
• Some commands that can be executed in non-privileged (aka disable) mode (enable, disable, help, logout) are authorized only if you configure aaa authorization commands 0 methods regardless of the current privilege level.
• Other commands (for example, ping) are authorized based on the current privilege level.

For example, if you’ve configured AAA command authorization only for privilege level 15, the ping command will be authorized if you’re working in enable mode, but not otherwise.

• Command authorization is not performed on console unless you’ve configured aaa authorization console.

This is the sample configuration I’ve used to run the tests with IOS release 12.4(19):

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
!
username x password y
!
tacacs-server host 192.168.200.201