Question:
Why are administrators within a Sandbox org still able to use Login As to assume a user's identity even though Administrators Can Log in as Any User is unchecked within Login Access Policies?
Answer:
This is working as designed.
If a user account is copied from a Sandbox refresh (rather than created manually within the Sandbox), Administrators have login access for 10 years from the date the Sandbox is created.
Related Documentation:
SFDC Help Documentation: Can’t Disable the Feature 'Administrators Can Login as Any User' in Sandboxes