This can be acheived by configuring ACL against the access mechanis (eg sam, Terminal services, NC etc)in the MAG 2600.

What is the access mechanism be using to launch RDp session through MAG?

Access mechanism is Terminal Services, I understand this can be controlled via the Terminal Services Policies, however once the user is connected to their respect workstation via terminal services, we would like to then block that particular workstation from accessing specific applications.

Looking at this from a different perspective, we would need some type of control/firewall software on the end users workstations/vms, which is controlled by the Mag 2600?

You rather need to control the Terminal Server itself, for example by placing it in a DMZ. I know...in many cases this is not possible, so you could use software on that server to prevent the user from doing RDP to other machines. For example a software firewall on that server or something like that. But I wouldnt really call that "secure" :-D When someone is on a machine in your LAN, then he's in your LAN...

But I think theres no way of doing this through the MAG-Config.

RDP access can be controlled but once a RDP session is launched inside a RDP session application access/deny cannot be controlled.