Little out of my bounds here, but assuming the workstations have been migrated to the new domain, why not just blow-away the 2-way trust and make it one-way. Then they wont have the option of logging into the old domain.