Wow, Active Directory Much? There's so many ways to do this correctly using simple groups in AD. Or hell, why do these public kiosks even need to be on the same network?
Why would a public kiosk even be running a consumer OS? They should be running a bare-bones OS with EVERYTHING not necessary to perform their intended functions removed. AND be on their own network.
Why are power plant (and other similar) control systems in any way accessible by the internet?
Why are credit-card processor internal networks in any way accessible by the internet?
Answer: because it's what happens by default, and people are too lazy or too ignorant to configure appropriate safeguards.
Because using some bespoke OS costs a fortune and accomplishes nothing.
Windows is more than capable of providing a secure environment for this sort of thing. Wat you're looking at is some shoddy work that was probably done by some contractor years ago.
I know of one software shop locally where the dev and build machines are on a complete network island. No external access at all. If you need to google something you need to use a different computer connected to the public internet. A bit inconvenient, but not unworkable. Devs have a laptop or tablet for public browsing, and their actual work takes place on the "clean room" network.
We have a handful[1] of secure machines that are allowed to SSH into production systems. No development or other Internet activity takes place on those boxes.
[1] A handful because many of us are remote. Mine is a EeePC.
Except for MAC filters aren't relevant to this situation at all. Private VLANs, however, are.
A VLAN would keep these computers on their own network, and firewalls could be set up on the network side to prevent this stuff from happening.
A MAC filter would do nothing in this situation, because you are using their computer. Even if you had a MAC filter, these computers would be white-listed anyway.
Why are power plant (and other similar) control systems in any way accessible by the internet?
Why are credit-card processor internal networks in any way accessible by the internet?
Answer: because it's what happens by default, and people are too lazy or too ignorant to configure appropriate safeguards.