Question : Problems with windows 2003 Group policy to terminal servers using security filters and Containers

Problems with Group policy application to terminal servers using security filters and Containers.
(using 2003 servers and Group Policy MAnagement tool)
I have tried two different ways of doing this
Method 1. - created TSlockdown GPO with policies to secure our Terminal serer (containing various computer and user policies)
    - created ZTSlockdown user group to select users
    - created TSservers computer group
I linked  the TSlockdown policy to the "a.local" domain in GPM and added ZTSlockdown and TSservers groups to the security filters (and removed the Authenticated users group).

The lock down worked fine on the TS machines however if a user in the ZTSlockdown group logged into a normal PC then they would also be restricted by the policy even though the PC was not a member of the TSservers group.

Method 2. I moved the TS machines into thier own container and linked the GPO to that container.
- added the TSlockdown group to the policy and removed the TSserver group.

The problem now being that the policy is not being applied to any of the machines TS or not.
When I run the Group policy results wizard for a TSlockdown user and one of the TS machines it shows the TSlockdown GPO hs been Denied due to Security filtering. The only security filter shown is  

I have used gpupdate and  restarted the machines to no avail.

I like method one the best but I dont want to lockdown all my PC's. Can security filtering be appied to using a "user and computer" logic instead of what appears to be "user OR computer" logic.

Answer : Problems with windows 2003 Group policy to terminal servers using security filters and Containers

The loopback link is kind of hidden in my above link, but here it is:
http://support.microsoft.com/kb/231287/