Hi Tom,
Firstly, i would be curious to know how is your filter's set in Apache and InfoEngine.
Ideally if you can prevent them from login, you should be able to apply the same rule in JNDI, so that windchill wont even see them. For your requirement set up a user filter that allows all users from Windchill_Users to login.
Dont setup any group filters. so all the groups will come in Windchill.
If the above is done correctly, You can just allow access in the Product_ABC for Users from group Product_ABC_Users and that should do it all.
Theoritically it should work.