Kinda sorta. You can remove the ability to control local access via both the "Log On Locally" and "Deny Logon Locally" local policy settings in the system's policy manager. You can access this by running "Secpol.msc" from Start>Run, and then going to Security Settings>Local Policies>User Rights Assignment. However, you can't add machines directly to this (to get around this, create a new group for the intended machines and add them to it) and most attempts to get at shares are done using the user's credentials. What are you trying to do? Are you simply attempting to share out files, yet not allow people to logon interactively (using the console)? In order to access anything from the server, the credentials have to be valid and permitted in the security policy. But that also allows someone with the same credentials to logon if he/she is in front of the computer. Try using "Deny Logon Locally" for the users, and just make sure that they are still in "Access This Computer from the Network".

I seem to recall that under NT4 you could deny users the ability to logon locally by making sure their accounts weren;t members of any local groups (Users, Power Users, Administrators etc). Does that carry over into 2k?

Users added to the users and groups in W2K server if I remember correctly do not have the right to logon locally by default.
If you want any to have the ability, you must add them to the ACL, or administrators group.
A quick easy way to check is to add a new user and then try logging on to the server.