On the first point, this *can* be done with a little work, although it's not perfect. Use a little server-side code to create a 1-time-code for use in the search script. Store these codes in a database along with a timestamp of when they were created, and if the code is older than 30 minutes, fail the search. It won't stop them from reloading a new page, but would keep them from using the same page over and over again. You could also do the same thing with cookies, which would be a tiny bit harder for the user to work around.

Perhaps a better solution is to take the database 'private' and require registration before use - you could then track who did what, and manually blacklist the abusers.

None of that is impregnable, but the goal of any security is simply to make it too much trouble for the would-be attacker compared with the value of the data.

Sales people are persistant and have a lot of time on their hands, but are not usually very technical. Combine HTTP basic authentication with a registration process and a cookie to track # of searches, and you'd probably block 90% of them.