I found the following question, with a similar premise, however the answer to the question, was the question rephrased as a statement!
RemoteApp Prevent User from Running Remote Desktop
How do I allow RemoteApp but disallow Remote Desktop? In order to allow remote app, I'm seemingly having to add the users to the "Remote Desktop Users" group. This allows Remote Desktop.
I tried using the "TS Web Access Computers" group, however this does not give them the authority to run RemoteApp.
Where is the configuration to disable Remote Desktop, while leaving RemoteApp capabilities intact?
Best Answer
There isn't an "officially sanctioned" way to do this because, fundamentally, TS RemoteApp functionality is just leveraging existing Remote Desktop code. You could do something silly like use Group Policy to set the user's shell to be "logoff.exe" such that if they attempted to access the machine's desktop they'd be immediately logged-off. Any application that uses a common "File / Open" dialog, though, can be used to get a command prompt or other programs open on the server's desktop.
You're better off making sure that you follow the principle of least privilege and give your TS RemoteApp users as few rights as they need to run the intended software. If they do end up on the server computer's desktop their restricted rights should prevent them from doing anything damaging to the server computer.