What directory are you using by chance? Is the username sent by MCP to WGCS or MWG correct?
For this situation I only see two possible ways of solving it.
1) Username to group mapping in the policy
2) Creating a local group on the workstation assuming these arent shared workstations
For 1) this will only work if the username is actually valid. So when a user logs in, its a unique username (MCAFEE\jonscholten) and not something generic (MCAFEE\edirectory-generic). This would also require Web Hybrid mode as WGCS doesnt have the ability to map a username to a set of groups.
For 2) MCP works by sending the groups found on the local machine (from a command prompt type "whoami /groups" -- its very similar to that). So if each user has their own workstation, then it'd be possible to add that user to a local group on the machine, and filter based on that.
Also, do you have the SR number? The include and exclude filter will, filter groups, not add them.
This is a very small business, so no directory service is in use.
I've tried your second option, which seems to be working well. Thanks for your help!