A solution to this problem is to lock the computer sooner in the logon process. There are several good places within the logon process to put a task, but the one that may execute the soonest is certainly Userinit. Userinit is the first program which is executed after logon.

From MSDN: http://msdn.microsoft.com/en-us/library/aa378750(VS.85).aspx

Userinit.exe is an application that is executed when the user has logged on. It runs in the newly logged-on user’s context and on the application desktop. Its purpose is to set up the user’s environment, including restoring network uses, establishing profile settings such as fonts and screen colors, and running logon scripts. After completing those tasks, Userinit.exe executes the user shell programs. The shell programs inherit the environment that Userinit.exe sets up. The specific shell programs that Userinit.exe executes are stored in the Shell key value under the Winlogon registry key.

Add the lock command to Userinit

Create a batch file that will lock the computer:

rundll32.exe user32.dll,LockWorkStation

Name the file lock.bat and place it in the System Root. (c:\windows\system32).

Open regedit and navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The registry value Userinit should contain the path to Userinit.exe

C:\Windows\system32\userinit.exe

Change the value to contain the lock batch file before the Userinit.exe, with a comma between.

C:\Windows\System32\lock.bat, C:\Windows\system32\userinit.exe

Log off to see the result. Note that using a batch file does not discriminate between automatic logon, and user-initiated logon. One could write a program that would only call LockWorkStation if the computer was up for less than 10 minutes.

To enable automatic logon

If automatic logon isn’t already enabled, execute control userpasswords2 at the Run prompt, and uncheck Users must enter a username and password to use this computer.