>> 1. Provide *logon* authentication for the users. If they don't
>> authenticate then I don't want them to be able to log onto the
>> system.
>
> This should be the way it works, at least to a first approximation.
> There are some important caveats, though:
>
> - You've got to configure the WinXP systems to be members of the
> domain.

We have been using samba as a PDC on a Windows 2000 network, and it's
working quite well. There's an odd little process you have to follow to
join the domain: make sure each Windows XP system joins the domain, then
users can log in from any one of these.

>- I'm not sure about WinXP Pro, but with Win2K, it's possible
> for users to log on using a local user database instead of the domain

I think a solution for this is to automatically delete the roaming profiles
on the Windows systems. Under 2000, I used the group policy editor
(gpedit.msc command); there was an option somewhere in there to 'delete
local copies of roaming profiles' or something to that effect. Make sure
you switch that on!

--
Jem Berkes
http://www.sysdesign.ca/