Is there a way to prevent users logged on through Terminal Services from accessing certain files or other objects?
Yes; you can use the special security principal Remote Interactive Logon, which is available in ACLs and user rights assignments. Then, when a user logs on to a computer through Remote Desktop, Remote Assistance, or Terminal Services, Windows places the Remote Interactive Logon SID in the user's access token, which causes any permissions or rights assigned to Remote Interactive Logon to apply to the user for the current logon session.
To block your Terminal Services users from accessing a folder, for example, simply add to the folder an access control entry (ACE) that denies Full Control to Remote Interactive Logon. Then, anyone who logs on through Terminal Services and tries to access the folder will be denied access.
—Randy Franklin Smith