I think you are essentially asking for 'guest' access i.e. users who are either on the AD or visitors who just want to get to the Internet & email.
This falls under the topic of "Network Access Control" or NAC which is a HOT topic (i.e. revenue) for a lot of companies...
PS: Our company struggles with this type of access need too...
Yes, 802-1X will allow you to lock ports down, BUT you'll be managing MAC addresses all day long... not sure how many switches you have, but it's a lot of effort, unless you have a network management suite + a RADIUS server.
BTW> the GPMC (group policy management console) CAN be installed on Windows 2003. If You want Group POlicy PREFERENCES, you'll need a Vista machine or Windows 2008 AND install a Windows hotfix (or SP3 I think.)
Suggestion A:
If I may recommend one particular brand of Access points:
HP ProCurve 530's
With the latest Firmware, they're able to allow users to associate with an AP - no setting changes needed; they would need to open a browser and attempt to visit a website. Upon doing so, with the help of the AP, they're redirected to your own login page. If they don't know the password you can customize the login page to say 'call xyz' and ask for a password; you can interrogate them to your liking etc. Authorized users (based on perhaps an 802-1X certificate can be added to a separate subnet. This particular AP CAN put different clients on different subnets and only use ONE ethernet interface using VLAN tagging. Just need a router behind it to route between subnets. That's where the following ideas might help.
Walled Garden: Prevent certain machines (unknown) machines from passing a system with out authorization. There are several linux based ones, or router based ones (smoothwall, pfsense being one of the best ones.)
A combination of the two:
Put a linux system with TWO nics (Gigabit preferred) one nic points to the inside of your network (NIC-A), the other to the wireless lan (NIC-B). Connect all the Access points behind this linux box. Create a VLAN on the NIC-B interface with two different subnets: 192.168.10.1/24 - Trusted IPs; 192.168.11.2/24, Untrusted IPs. Set the AP's management port to be on the trusted IP range. Set this nic to use VLAN tagging;
THE KEY: Setup TWO SSID's in the Access Point:
TRUSTED WIRELESS One perhaps with a WPA-PSK with AES, or WPA2-Enterprise with a RADIUS server in the back (use a self signed cert that you can push out via GPO's.)
VLAN A
UNTRUSTED Wireless: No WPA-PSK, just a wide open network... Present the guest login prompt on the Access Point. Then Setup a simple Linux firewall/filter on this network to limit their access to your private network EXCEPT perhaps your anti virus update servers...
VLAN B
VLAN A traffic gets full access/all ports through the linux server.
Setup VLAn B traffic to your liking with normal firewall rules. I would recommend fw-builder to help with that.
COST: The cost of the HP ProCurve 530 APs, one Linux box with two nics & some cables.
The only issue I'm still struggling with is HOW and what to do to scan the clients with automatically... Perhaps your AV suite can help with a Policy of some kind. NOD32 Remote Admin server/console, McAfee ePO, Symantec products all offer some sort of a method to load different policies depending on location/subnet.
Hope this helps...
