That way the workstation will use the cached domain login information without any reference to the server at all.

Right, but that's only the workstation.

My point (and I thought I'd made this clear earlier) was that in a properly secure Domain-based client/server environment, the sensitive stuff is stored on the server, and it's access to that server that you block based on TOD.