Yes. This can be acheived with the following conditions. But user management will be completly MANUAL and the time taken to finalize might take long.
- Containers (at least User containers) should not be imported from AD to SEPM.
- SEP clients should be installed in User Mode.
With the above conditions, you will see an user account created in SEPM every time a new user is logged in to a machine. For example if user "X" is logging in to machine A and B, then 2 entries will be created in SEPM for user "X". one for machine A and other for machine B.
You can then create new groups as per your policy combinations and move ther entries to different groups to acheive what you are looking for.
Note that if the user account will be created only after the user logging in to a machine. Hence, if user "X" will log in to machine C in future, it will create a new entry in future, you will need to move it to the intenden/correct group as per your policy needs for this user on this machine.
Note: When SEP clients are in User mode, definition will not be downloaded until someone is logged in to the machine.
Just to mention: It will be lot easier to manage if you just want to apply a policy for a user on every machine that applying a policy for a user on every specific machine.