I have looked at the Group Policy options and found a couple but they only work once someone is part of the domain.
But an alternative question comes to mind - how about going to the known shares and changing the share options?
For example go to the properties of the shared folder and add authenticated users as a group allowed to access the share, set the rights as you desire and then remove the everyone group if its there. I would recommend doing this via the Computer Management GUI rather than through Windows Explorer.
I have tested this briefly and it appears this means the user cannot access the share unless they log on to the domain, thus becoming an authenticated user.
You can then use group policies to limit what they can and cannot map to or access.
You would also need to make sure that the offender did not know how to access the administrative shares (Admin$, C$ D$ etc, IPC$ and others) on the machine hosting the shares. If they did know how to access these admin shares and they were part of the administrator, backup operators, or server operators group then they will have the rights to access the share. Therefore the only other technical option may be to delete the admin shares (but this may break some functionality so approach this with caution).
Hope this helps and let us know how it goes or if you need more help.
