I am guessing you are limiting use due to workstation location or something similar.
If this is the case you could create Security groups for each area, (or group of PC’s) and change the PC’s so that the Local User group on each machine contains the new group created above. (remove the users from the domain users group of course).
Then you can just add the students to the relevent security group and this will limit their logon’s to
those specific machines (which can be more if added to more than one group)
This may be slightly time consuming at first, but will be much easier to manage in the future
with the possability of students moving around, or new ones coming in.
This is assuming they don’t need to be in the Domain Users group for anything.
If they do, you may will need, instead, to add the new group to the machines Local User Group,
but remove the Domain Users group from the machine.
*** Improved by Wrobinson on 02/08/08 ***
You can better automate and enforce this using restricted groups in Active Directory. First, segregate the workstations by OU based on security profile and then apply a GPO to each with the appropriate groups and memberships defined. You can find more information by performing a search for “restricted groups” using your favorite Web search engine, such as Microsoft Live Search.