I would always use the \\DomainName\Netlogon share to drop the KIX executables and the scripts
Create some domain groups and populate them with the users or groups that need certain NTFS Security on certain shares. Reuse the groups for your logon script to map the drives:
;*************************************************************************
; Script Name: LogonScript
; Author: Wim Rotty
; Date: 19/03/2008
; Description: Untested example to map drives!!!
;************************************************************************* 

;Script Options
If Not @LOGONMODE
    Break On
Else
    Break Off
EndIf
Dim $RC
$RC = SetOption("Explicit", "On")
$RC = SetOption("NoMacrosInStrings", "On")
$RC = SetOption("NoVarsInStrings", "On")
If @SCRIPTEXE = "KIX32.EXE"
    $RC = SetOption("WrapAtEOL", "On")
EndIf

;Code

;Clean up existing mappings if any
Use * /Delete /Persistent

;Map Public
Use "P:" "\\ServerName\PublicShare"

;Map Project Shares"
Use "Q:" "\\Server\Projects"

;Map Department Shares
Select
    Case InGroup("Accounting")
        Use "R:" "\\Server\Accounting"
    Case InGroup("Engineers")
        Use "R:" "\\Server\Engineers"
    Case InGroup("ICT")
        Use "R:" "\\Server\ICT"
EndSelect