Think that you can use the following with Host Checker Policy to check whether the device is joined the domain and think that user has to logon with domain account as well to get this value.

- For Windows 7

Key/Subkey: SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Domain
String; ABC.DEF.COM

- For Windows XP

Key/Subkey: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName
String; ABC

I think this key works on both Win XP and Win 7:

Registry Subkey:\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Name: Domain
Type: String
Value: <domainname>

this is what we are using and it works for windows xp, vista and 7

Key/Subkey: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain
String; domainnamehere

i would also make a fake file name it something like mouse.dxp and put it in windows folder and hide it as a system file and use MD5 hash match to check for this file as well as the above.

If your detailed rule is ntdomain, that is an attribute from when users login to the IVE; it will always be true since it is based on the AD/LDAP value.

The suggestions for use of Host Checker (any of the ideas posted will work great, singly or in combination) or certificates are the best ways to do this as it relies solely with what is on the PC for access. And then require that policy on the role (making sure to enable the evaluate option on the realm)