Is there a standard approach to this? I've noted you can change Internet Options locally to always require logon but I was trying to find a way to force anyone even already logged into the AD domain to have to re-enter their credentials when they try to access the Workspace.
Is it just a matter of altering the web.config for the Workspace area in some way or altering the Authentication parts of the website.
Have you tried setting the K2 Workspace site to Forms Authentication in IIS? Please see the below documentation https://help.k2.com/onlinehelp/K2blackpearl/ICG/4.7/default.htm#Configure/SF/SF_Authentication.htm. Note that you may also have to set the browser cache to automatically clear the cache when closed.