hi,
I deploy projects with Terminal Server + Citrix, and I am use to solve these problems in indirect mode.
We don't publish entire desktop to users, but just the applications they need. You can do something similar without
Citrix, with some limitations, but you can do.
Do these users login in Server just to use the db-program?
When they log in, use another username (one of db, different
from that of domain) ?
If yes, disable TS for these users and publish a TS link to this program for a generic domain user called TS-Skyline,
that has access to Ts and just launch the program. When they exit from the program, the session close up.
To user TS-Skyline, you can apply GPO policy as remove links
from desktop, and so on, so that if they make an interactive login (not using the link, but loging as before), they are limited.
If the idea my be good, we try to improve and detail it.
ciao
vittorio