the organizational groups would fit your needs, except of course they have to manually populated at this time (no query or connector is available in the console itself). So, my thoughts are that you could create a filter and set security on that, but I'd have to test and see if that actually made any difference.
So, you could create a Filter - Start with All Computers where Operating System 'in' Windows XP, and not in servers (just musing, no console accessible at the moment). Then grant your security role read access to that, and not to other filters.
Still messy, but possible.