In thinking about this, one way I could go about getting what I want would be to use subdomains and the group-url option under the tunnel-groups that would then specify the default group policy and users wouldn't have the option to change it as long as I disable the alias. So xxx.domain.com would be bound to one policy, yyy.domain.com would be bound to another, etc.
If anyone has anymore thoughts, they are welcome. Otherwise i thought id just answer my own question.