You can still apply a GP to individual users if you so choose. So for your drive mappings GP, you could only have it assigned to specific users at the GP level, and totally ignore the Item-Level Targeting. That is an option. I went the other route to have it assigned to everyone, and then since I use a single GPO to map multiple drives, I use Item-Level Targeting to determine who gets which drive mapped. (K: is mapped for all domain users, L: is mapped if you are in the Worship group, M: if you are Ministry staff, etc.) That way I don’t have to have separate GPOs for each drive mapping and mess with security at the GPO level.
For your second item, I believe it goes back to the security changes made by Microsoft this summer and the article I linked in a message above. You can apply a GPO to a user, BUT the computer the user is logging into has to have read access to the GPO. So if you are changing the Security Filtering scope to only apply to specific users, you then need to add permissions for the computer to be able to read the GPO. You can do this on the delegation tab. The article recommends that you use the delegation tab to grant Authenticated Users just the Read right. Remember, it won’t Apply the GPO to all authenticated users, since that is a separate right, it just allows them to be able to read it. Other options are to grant Domain Computers read rights, or even specific computers, but if the user logs into a different computer, or gets a new one, the GPO will not be read, and thus not applied. The article goes into more details and probably a better explanation than I could give.