I use a logon trigger to acheive this, blocking an AD group accessing via certain applications, but the trigger could quite easily just block the group.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉