There is no standard way to do this, but using Resource Kit Tools, and some freeware, you can script a solution. Here is one possibility:

1. Add the following statements to your logon script:

     ifmember "Domain Guests"
     if errorlevel 1 @echo . > %logonserver%\shutdown$\%computername%

     where Shutdown$ is a hidden share on each domain controller (c:\shutdown).
     Grant Everyone Full Control on the share and Add & Read NTFS permissions on the folder.
     Grant SYSTEM and Administrators Full Control.

2. Use Launcher to prevent the logon script from being aborted.

3. Start a batch job (shutuser.bat) on each domain controller, using AUTOEXNT so it starts at boot:

     start /low /min <drive>\folder\shutuser.bat

Shutuser.bat contains:

<b>
@echo off
:loop
sleep 120
for /f "Tokens=*" %%i in ('dir /b c:\shutdown') do call :shut %%i
goto loop
:shut
del /q c:\shutdown\%1
shutdown \\%1 /T:3600 /R /Y "You are authorized for 1 hour access"
:end</b>
Shutuser sleeps for 2 minutes and then checks c:\shutdown for any ComputerName files (created when Domain Guests logon). For each one it finds, it deletes the file and issues a shutdown in 1 hour on the Domain Guest's workstation. The Domain Guest can minimized the pop-up, but if they close it, they will immediately shutdown. They can also manually shutdown, if they are finished before the time limit. If the time limit expires, the workstation is shutdown and restarted.

Note: This procedure only works when the Domain Guest uses a Windows NT Workstation to logon to the domain.