I think you'll find a logon script applied to the bank the MFP is using is the only way to do this.
I initially thought that perhaps you could do it by using access times (have one set to never) but there is no way to apply it to group/device combination, it can only be applied to a device so would apply to everyone.
The script would be fairly straight forward. Just have a list of devices you want to restrict access to and a list of groups that shouldn't have access, then at logon check if the users group is in the list and if the device is in the other list and if both are true deny logon.
Looks like you can apply access times to groups/device combinations, with the only caveate being your access time cannot be completely blank, you need to have a small window, suggest 15mins at silly oclock in the morning.
Check this thread Setting up a printer with limited access