What I need to accomplish: With one login, when user is physically in the building I need them to see everything. When they are using terminal services with same login they should not be able to see the file system on the network. I can lock down the PC running terminal services as that is its only use.

Details:

Windows/2003 Server with terminal services.

One login for a user (e.g., johndoe).

When johndoe logs into the network at his desk in the office, he can see the network files according to group policy.

When johndoe logs into terminal services from outside the building, we do not want to allow him see the network. Using 2x to do a published app, but that app has a "feature" that allows user to see network.

Published application on termina services (only) is a document management system that is tied to windows login, so I can't give them two logins.

With one login, when they are in the building I need them to see everything. When they are using terminal services they should not be able to see the network. I can lock down the PC running terminal services as that is its only use.