The approach you mentioned is the way to go. NTFS permissions.
oBdA, this varies from place to place. I know for sure (as I got a letter from Microsoft) that in many places they do accept that form of control as proof that no more than the number of licenses the customer has is in use at any given time in a TS/Citrix environment. This is a very common scenario, especially within government clients/agencies. They limit the number of people by NTFS permissions and after discussing this with Microsoft they actually get a formal, legal answer that accepts that.
But as you pointed out, if you go by the book, the licensing details you posted are correct.
So considering what was posted and what I have seen on the field, Microsoft seems to treat this on a case-by-case basis. You will have to contact your Microsoft representative and discuss the issue with him.
Cláudio Rodrigues
Citrix CTP