So that application is a two-tier application and users are members of that group?

In that case, your only option is to put the application on Terminal Server/Citrix etc, so that when users log in on the TS, they directly get into the application with no possibility to get out. Furthermore, the network admin needs to segment the network, so that users cannot access SQL Server from their desktops; SQL Server is only visible from that terminal server.