How can I prevent someone from logging into the local machine (as opposed to the domain)

only allow out the IP address of the web Proxy on either the firewall of the router on TCP Port 80

Don't want to totally restrict flow to 1 IP because there are several PCs in my server room that don't like having to go through the web proxy.

or on the client PC (or through domain policy if this is rife on your network)
Start > run > Gpedit.msc
Computer Configuration branch to expand it, and then double-click the Windows Setting branch to expand it.
Double-click the Security Settings branch to expand it, and then double-click the Local Policies branch to expand it.
Double-click the User Rights Assignment branch to expand it, double-click the Log On Locally branch to expand it,

Add in Domain users, and remove all the local groups except Administrators

job done :)

Sounds good except the login that's being used is the local administrator account. Is there a way on the network to set the admin p/w on a local machine? I suppose I could restrict that machine to a static IP and then exclude that address on the cisco router. hahaha another learning curve.

Yes, thank you both. I should have thought of that myself.  I did not want to physically go into that office and change it, I had forgotten about the remote login through "manage". Thought splitting the points was the best solution. The password has been changed already.