The Environment:
One AD domain that is not managed by local admins (can’t edit, can’t add GPO, etc.) Users have accounts here. Call this AD alpha
This AD Alpha has a trust to a local AD domain (Call this one Zeta) that local admins administer. Contains computer accounts. Has accessible network shares
Goal:
Set permissions on AD Zeta’s network shared folders using AD Alpha’s user accounts and AD Zeta computer accounts for folder access.
Reason:
To make sure that when a users using credentials from Alpha accesses a share on Zeta, they can only do so if they are also accessing that share from a machine they would normally use during working hours.
Example:
User A logged in with computer A = grant access
User A logged in with computer B= no access
User B logged in with computer B = grant access
User B logged in with computer A= no access
Best Answer
I don't believe there's any way to do this as you describe with native tools. NTFS (and share) permissions are assigned to a user, not to the computer that a user's network session is coming from. You could use IPSec or Windows Firewall on your Zeta server to only allow CIFS traffic to come from computer A, but then no other computers could connect to Zeta at all.
I think you're primarily out of luck. And it would be a big pain if computer A was re-imaged or got a new dynamic IP address or was simply retired. Why are you scared of computer B? It would generally already need to be in domain Alpha. And since you're allowing all kinds of network traffic between the domains anyway (I assume that they share a LAN?), you're not really preventing anything by your planned scheme that you wouldn't be vulnerable to anyway.