Newer versions need enabled the logon as current version feature on the connection server and the horizon client
Using the Log In as Current User Feature Available with Windows-Based Horizon Client
"On the Connection Server instance, user credentials are encrypted and stored in the user session along with the username, domain, and optional UPN. The credentials are added when authentication occurs and are purged when the session object is destroyed. The session object is destroyed when the user logs out, the session times out, or authentication fails. The session object resides in volatile memory and is not stored in Horizon LDAP or in a disk file"
Can you explain the second part more, I think you can user client restrictions for your needs
Implementing Client Restrictions for Desktop and Application Pools