plus a lock on setting the time.

See, that's the thing. I'll bet that's why Microsoft hasn't bothered with locking the logons based on time from the local client desktop space. Very hard to (securely) lock the actual system time down on the local desktop when there is easy physical access to the machine. Too many ways to easily change the clock on a workstation PC, for someone who's serious about getting around time-based restrictions.

In a properly implemented domain environment, though, the server will be physically located behind a locked door, so it's possible to make the server's timeclock setting reasonably secure. Then you can accurately refuse server authentication based on server's time of day.

Of course, refusing server authentication doesn't completely stop someone from mucking about on a client workstation, it just prevents them from accessing server resources. Again, in such an environment, the properly place for those resources is on the server instead of on the workstaion.