There is a tried and true method for disabling a win group in sql. Now don't tell anyone, cause this is a secret I've kept close for a long time.

Drop Login [Domain\WinGroup]

Seriously, if you want to deny it then drop it and be done.

I understand it may be a situation where you don't want to disable permenantly, but you may have to manage the process in that case.

You'd have to script it out and just run that code whenever you wanted to bring it back.

If you don't want to do that, then a login trigger may be the trick. Just rollback if it's in that group, but I'd have to test hat. I don't know if the EVENTDATA() function will pick up the group name.

Other than that, y, deny connect rights.