If I read your post correctly, you're mixing up authentication with authorization. IMHO it's purely an authentication matter where you would like to use SSO for some users and "a second-chance to log on to Windows" for some other users.
I think you could consider creating a second AccessPoint-with-its-own-QVWS connected to the same QVS that uses a Custom Login page to force a Windows login at all times.
On the other hand, I don't think that Microsoft supports shared Windows licenses in this way. Are you sure this is OK?