In education when we talk about NAP the question always comes up – well, couldn’t someone leverage this or that to circumvent NAP and still get on the network? Ultimately that’s the wrong approach in my opinion as users should see NAP as a tool employed to help users get/stay secure, not prevent them from accessing the network.
Once you’ve quarantined a machine you really need the infastructure to work quickly and seemlessly to prevent it from accessing resources other than what it needs for remediation, correct the issue, and get the machine back on the production network as soon as possible. Within the server and workstation environment we can drop the workstation to a quarantine DHCP scope and apply IPSEC rules that prevent it from accessing anything other than what it needs.
I just noticed on the NAP blog, we officially have taken the next step with a Cisco partnership to extend the technology to the network. This will allow for better control over quarantined machines and depending on how stringent the policy settings should also allow for tighter enforcement.