We are planning to use a local challenge group on each Windows machine to hold details of which Users should not be challenged for SecurID credentials via the "Challenge All Users except" policy.
Do you have any recommendations/best practice on how to secure the group to stop people simply adding usernames into the group and bypassing SecurID ?
You need to trust your administrators/users who have permissions to manage group membership, or block access using Microsoft settings. Note that if someone can reboot the machine and get into safe mode as an administrator they 'own' that machine, so not making everyone a local administrator will help. Local Users and Groups snap-in can be restricted by Windows policy.