Domain Users Able to Conect Remotely Despite GPO Prohibition - Help!

Greetings all,

Here's a puzzle:

Our domain policy is set so that only one domain group is in the local
"Remote Desktop Users" group on an Active Directory workstation. We
add a domain user to that domain group and then restrict the user to
logon to their workstation via the "log on to" button in the account
properties. This effectively locks them down to one workstation while
allowing us to administer RDP centrally.

However, we're finding that people who aren't in that remote group can
still log on remotely. However, when you force a GPO update via
gpupdate /force, they then cannot logon (they get a "you do not have
access . . . " message. This works fine until they log on to the
workstation locally again. Then, they can log on remotely again.
They're not local admins, they're not in a group that has admin
priviliges. Does anyone know why this is happening or where I can
start looking in the GPOs? Any help would be greatly appreciated.
Thanks.