Blocking internet access to non-domain member computers


I manage a small network and I noticed the following : as long as I plug any computer to our network, it gets an IP address from our DHCP server and can access the internet. I would like to limit internet access to computers which have domain accounts only.
I know one way would be to setup mac filtering but that would take a while and maintenance.
Is there a setting in Windows 2000 server DHCP which will do the job? Or a policy?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I dont know anything in dhcp that could be used for that.

As you point out using HW address reservations is a management nightmare.

Microsoft is mentioning using IPSEC so that only people in your domain can talk to you.

Others (with newer network switches) are looking at 802.1x so that your computers authenticate to the network equipment before getting on the network.   that is kind of an involved project.

And of course others have the philosophy, let them on but they must meet my policy they using products like Cisco NAC or Cleanaccess to do that.  
nevermind, I was answering a question of my own making.  I'd say the easiest way to block internet access to unauthorized user is to have a password protected http proxy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Change the security permissions on iexplore.exe to include only users you want to allow internet access via IE to run to.
pascal_pAuthor Commented:
I ll accept boywaja's response as the most practical. Second response requires you having access to a non-domain member computer. If someone off the street would plug into my network (over my dead body), they would have internet access and I could not necessarily change their internet options.
It's surprising that micrisoft has not linked computer domain accounts and DHCP. Assuming network printers could be given network accounts.

Thanks everyone.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.