The reason there is a copy of the user in user management and under membership review list, is that the user has to be created right from the start, in order to reserve the username for the user. Otherwise somebody else could register with the same username before approval which would cause all kinds of problems. The user is disabled until the user is approved.
The reason the user has access even though you didn’t add them to an sp group is because the membership request web part automatically adds them to a selected group (if you put the web part on a normal page you can select the group when you edit the web part properties). I suggest you put them in a group that has no permissions (Maybe make an FBA Users group), and then they won’t have permissions until you add them to additional groups.
The user should automatically be removed from the review list when they are marked as approved. You shouldn’t need a workflow to do that.