I manage the client side of AD in a Windows 7 / 2008 environment with about 2000 devices.
We have ~1500 team members with AD accounts.
Our HR department wants to make a 3rd party training web site available to ~200 team members who currently do not have devices or AD accounts. They want them to be able to 'walk up' to any available computers a few times a month and access only this one URL, no network resources, and they don't want to pay for CAL's to get domain accounts.
The only idea I'm toying with is opening up a single shared domain account with no access, white listing the URL at the proxy so it doesn't require authentication, and finding a way to lock down that user profile 100% at the client side to only present a URL shortcut and no other options at all. I'm not sure what policies that would take; I don't see how to apply policies based upon a specific user. I'm also very concerned about the security implications.