XP users can unlock screen after account lockout
Solution 1:
It's by design and looks rather logical. If users account are locked on domain controller, users cannot login with domain account anymore.
But on the locked workstation, all authorization (since no attempts to access any resources, e.g. fileshare, which require a new domain credentials check) is performed by the local security system because the local system trusts such users (already checked and authorized by AD).
So for this unlocked workstation security system, such users are still legal, but they are not able to access use any resource with domain authentication (printer/network drive) because account is locked already.
Solution 2:
Restricting cached credentials in Windows:
To force the workstation to consult a domain controller when unlocking, set the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Require Domain Controller authentication to unlock workstation" to Enabled.
Solution 3:
Doesn't that just mean the local account lockout policy needs to be changed?
(I can't post comments now. OK, thanks, I'll read them. Shall I delete this one, o ye noob stompers?)
Seriously, upon reflection, I think this post was voted down as being too simple, and Sergey's was voted down for not being clear.