What about setting up a network just within the lab which is only accessible from lab computers? That would solve the problem for you. Install a file server on that network and computers not on the network cannot access it.
Another option might be to create a VLAN for each lab. Setup a firewall to permit only file services to clients on that VLAN. The issue would be that some of the AD services use the same ports as the file services (139, 445) and would have to be permitted between the DC’s and the file server(s).
How about using the computers as the group. Either standard AD security group with computer names as members, or create an OU with computers with corresponding Group policy with the appropriate login script. I am not sure if you use login scripts at the OU / group policy level or just at the user level.