If 802.1x seems like overkill for your situation and you're looking more for a solution that inconveniences people enough so that they don't plug-in hardware all willy-nilly, I like what my colleague did, and which works like a charm. All you need is a network where all devices have static or statically assigned DHCP IP addresses, which may be a good idea anyway, e.g. for long-term consistency in logs.
- On all machines, set the ARP cache entries all IP addresses in the local IP network to a specific locally administered MAC address
- On the workstations, set the IP addresses of servers and gateways to the real HW addresses [*]
- On the servers, set the IP addresses of known workstations to the real HW addresses [*]
- On the DHCP service, assign a special range of addresses to unknown hosts
- On the gateways, route no traffic from that range, but only redirect all HTTP traffic on the default route to a web server that has a "unregistered machine, blah blah..." page as its default virtual host.
[*] can easily be done with a script against the main config source - we use LDAP for DHCP config and my colleague did it with a simple shell script that parses ldapsearch(1) output, and doing this in a Windows/AD environment shouldn't be harder - IronPython? Powershell?
As I said, this is not rock-hard cryptographic security, but it fulfils two common security needs:
1. Salespeople cannot just stick their laptops into the LAN when they come back, which is a god-send against trojans &c
1. In the same vein, having workstations isolated from each other is golden - no mess of spontaneous CIFS shares, no virus spread...