Allowing a local account for incoming Rdp but not outgoing Rdp

To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege for the other system. To do this access a group policy editor (either local to the server or from a OU) and set this privilege:

Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.

Check on that user "Log On To" in the user property attribute

“Log On To” setting - Click to specify workstation logon restrictions that will allow this user to log on only to specified computers in the domain. By default, a user is able to log on at any workstation computer that is joined to the domain. Note that this control does not affect the user’s ability to log on locally to a computer using a local computer account instead of a domain account.

Also I am thinking to modify the built-in inbound firewall rule for remote desktop, only allow those IP addresses authorised but not from that target server instance. In short deny the target system from doing any further RDP regardless on user identity. e.g. Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow inbound Remote Desktop exceptions: Enabled, Allow unsolicited incoming messages from these IP addresses (stated the static IP specified).

Having IPsec enforced on other system will be good too but indeed non-trivial.

You need to restrict RDP client using group policy.

How about changing permissions for the mstsc.exe itself?

You can copy/paste mstsc.exe to your desktop...

... if you gain access to it. AppLocker could detect and block the EXE.

It's a local account, so does GPO policy still help?

>changing permissions for the mstsc.exe itself?
Can I use icacls  & what's the exact command?

What's the shortcomings/potential unexpected disruptions if I do the following :

 icacls c:\windows\system32\mstsc.exe /deny Users:(RX)      <== for local accounts?
 icacls c:\windows\system32\mstsc.exe /deny “Authenticated Users":(RX) <== for domain accounts?

I tried doing "icacls  ..\system32\mstsc.exe  /remove:g “Authenticated Users":(RX)
 but it simply doesn't process (ie doesn't remove that ACE)

I'll need approval to install applocker, so exploring icacls first

Revisiting this thread, I'd like to correct myself: You wouldn't need to setup ipsec to use firewall rules per user, so that is surely even an easy way: Block all outgoing ports for these users apart from those needed.