In a properly implemented domain environment, though, the server will be physically located behind a locked door, so it's possible to make the server's timeclock setting reasonably secure. Then you can accurately refuse server authentication based on server's time of day.

Can't you easily get round this by:

- changing the workstation time
- unplug the workstation from the network
- logon
- plug the workstation back in

That way the workstation will use the cached domain login information without any reference to the server at all. Unless there is a setting that you can set to stop cached login info from being used ?