I say the password does matter under certain circumstances. Call it "unique coding" but the 8602 does have a strange password behavior.
If under SYSTEM-->DEVICES AND FEATURE CODES-->STATIONS-->XXXX-->IP SETTINGS-->NETWORK CONFIGURATION the password field is blank, then the 8602 will connect regardless if a password is supplied in the 8602.
However, if a password is defined in the path above, the 8602 will not connect unless its password matches. If there is a mismatch an error will be shown like this:
Trying to find remote IPRC/IPRA via TCP messages.
Connection established. Waiting for authentication...
Connection refused because the password was incorrect
As for locking it down, toll restrict it as appropriate, and maybe even deny CO access if they're only receiving calls. If they need to make calls then force account codes to make them accountable. Even if you never follow up on the calls reports, there is a sense of ownership to an agent if they have to enter a unique code to make a call.
If you're putting this in a corporate environment, they will all most likely be connecting from a common IP. In your firewall you could lock down that IP as a source address. You could also apply firewall schedules (if supported) to only allow connections from that IP between certain hours. This
should help out in case they load these on laptops which might be taken off prem. How far do you want to go? Assuming they will maliciously abuse these is something you should prepare for.