This is an easier solution:
If you want to allow only local users to run %windir%\system32\shutdown.exe -s -t 0, grant the SeRemoteShutdownPrivilege to the group INTERACTIVE. Only local users are members of this group.
How to do it: Run secpol.msc. Open Security Settings \ Local Policies \ User Rights Assignment. Double-click Force shutdown from a remote system in the right pane. Click Add User or Group. Enter the name INTERACTIVE in the text box and click Check names, then click OK, and OK again.
Source: http://blogs.msdn.com/aaron_margosis/archive/2006/01/27/518214.aspx