I just answered a guy on activedir that would like to block all new workstation by default. The goal is to prevent users from playing with workstation until they are secured by GPO / antivirus / inventory tools...
The way i propose is globally:
-redirect all new workstation joining the domain to a new ou (let's say quarantine). This can be done direclty with windows 2003 AD thanks to redircomp.exe
-On the quarantine OU, create a new gpo that will only allow encrypted traffic communication.
As only these stations will be set up to encrypt traffic, they won't be able to communicate with servers and others stations.
The tricks are:
-If using dhcp, allow unencrypted trafic with the dhcp servers or the workstation won't get dhcp address (and won't be able to communicate with AD and so to catch the change of OU later)
-Allow unencrypted communication with DC so to be able to catch GPO change to stop ipsec traffic.
If a workstation doesn't stop using ipsec or doesn't catche the GPO change:
-stop the windows ipsec service
-issue a gpupdate /force
The only way for users is to be administrator and to stop the ipsec service manually. This can be enforced by GPO (and more if specifying a small GPO/ipsec refresh interval time)
hope it will help you !