It sounds like what you're looking for is the product MLC (McAfee Logon Collector). It watches your domain controller for logins from your users. The firewall can then contact the MLC when an IP address tries to go through the firewall. It will see if this IP address is associated with a logged-on user (and the groups that user is in) and compares it to what you have set in your rule. This is all transparent to the users. It's only for version 8 of the firewall.
You can also use Passport in a rule and use an Active Directory authenticator to generate a passport. Then your users would physically have to sign in once, the credentials are passed to the AD server, and a Passport is generated for however long you set it, if the authentication works. Then this user doesn't have to authenticate while the Passport is still valid. This is not transparent to the user of course.
For web traffic you could use the Windows authenticator. The browser can transparently pass the user's login credentials (NTLM) to your AD server when a user browses the web, and the firewall can create a Passport for this IP address. This type of non-transparent authentication is only for web browsing (because the browser itself passes the Windows credentials to the AD server).