I would choose 1. If you don't retrieve user information from your database in each request, users may also have trouble updating their data. For instance, I can log in at home, change my profile description to 'foo' and go work. There I log in as well, which results in a different session. I change the information to 'bar', which is stored in the database and in my work session. Then I go home and continue browsing in the previously opened home session, which will still contain 'foo'.
Therefor, I think you should at least do some checking against the user database on each request, so during that step you can check if the user is banned as well.
To speed this up, you could keep a special table with storage type MEMORY to keep session information in. This table can be accessed really fast, so it may increase performance. You only need to move information there if a user has changed in the 'real' database. You may use memcache in a similar way. Both are solutions to keep database IO to a minimum while still having the same results. I would add these optimizations only when you need them. Start with just querying the user on each request.