You shouldn't really be restricting it like this, half the point of active directory is to allow people to roam between devices. As Dave said, important data should be stored on a network share that is restricted to each user. Even if you restrict to IP address there is nothing stopping someone maliciously bypassing the local administrator password or booting the machine into an alternative OS and accessing the files that way. At least with the files stored safely on a remote machine, people can't easily get physical access to it. If you must use local storage and can't have people seeing other users files, then the appropriate permissions should be set accordingly on each workstation.