ZEN would have been my first choice as well, but since the originator of this thread didn't give much detail, I described the traditional method.
As for reicherb's remark, you would have to restrict addresses for every user object that you did not want to have access to that particular workstation.
For example, let's say you were working with three workstations and three users...
WS1 = 10.0.0.1
WS2 = 10.0.0.2
WS3 = 10.0.0.3
If you only wanted User1 user to use WS1, you would specify 10.0.0.1 as the IP address you want to restrict for that user object. That user would not be able to login to WS2 or WS3. However, the other two users would be able to login to WS1 unless you specified an address restriction for their user objects as well.
If you took this a step further and specified 10.0.0.2 for User2, and 10.0.03 for User3, then the end result would be:
User1 can login from only WS1
User2 can login from only WS2
User3 can login from only WS3
So, basically, you would need to add an address restriction for ALL the workstations that you want a user to be able to login from. The workstations you don't want them to login from would be omitted from the list. It could get really hairy if you were working with a large nubmer of users and workstations.
As for the client workaround that I mentioned in my first post, it looks as though it has already been mentioned indirectly. You could setup only one local user account on the workstation, then configure the default location profile to synchronize passwords with that account.