A user with a NamedCAL has no limitation to access applications from the licence point of view. If you want to apply an access-control on application-level you could adjust the file-access within the windows file-system like by all other files and folders within your environment.
Normally this will be applied on a folder-level to user-groups but with just 5 users and a few applications you could apply it on file-level (but if your environment grows you should change it to a more practically approach).
Another way could be to add a section access to your applications which could control the access on application-level and further vertically and horizontally within the application. Here you will find many useful informations about Section Access.
Common is to use the access-control per windows active directory and only if it's needed to add a section access.