That can not be done with ipsec. However if all the domain computers are
Windows 2000/2003 or XP Pro you can use ipsec in the domain to prevent non
domain computers from accessing any domain computer with a ipsec "require"
policy. Ipsec is not something that can be implemented without some planning
and testing though and domain controllers must be exempt from ipsec policy
that use negotiation security by adding their static IP addresses to a rule
that has a permit filter action. The link below is to a great paper on
ipsec. It is for Windows 2003, but much better than anything I have seen for
Windows 2000. Almost all of it applies to Windows 2000 also except for
mainly the extra protection for startup, default exemptions, no ipsecmon mmc
snapin, and command line tools like netsh can not be used for W2K ipsec. The
article can also be downloaded for much easier reading.
http://www.microsoft.com/resources/.../all/deployguide/en-us/DNSBJ_IPS_OVERVIEW.asp
http://tinyurl.com/2v8na -- same link as above shorter.
Using DHCP to manage security is not that strong a measure as it is easy for
someone to configure their computer with static IP to access the network.
You might also look into switches that can filter ports by mac address or
better yet use 802.1X authentication for port access. 802.1X however
requires compatible operating systems, and an IAS and Certificate Authority
on the network of which Windows 2000/2003 both can do. Mac address filtering
can increase network security and keep out the idle curious but not truly
malicious user. The link below shows how 802.1X can be used to protect a
network and provide guest access also if needed. --- Steve
http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm
