I get what you're trying to do - you've the permissions sorted but users can still "see" too much! I think you really need to look at vCloud Director or Lab Manager (EOL) here to scope the views and prevent users seeing other "customer" systems. Unless you can publish a URL that gives access to each VM directly, but I don't think the web client provides this?
Regards,
Mike