In the company that i work, they're want to give access for guests (costumers, etc). I make this configuration. Domain Controller giving DHCP for guests network. Isa server configured for relay agent in the interface guest. Automatic discovery is configured in guest interface. The access rule is configured for a group of my AD. It's working great, but have one big problem. My boss want to give internal access to all resources using the same guest network (they want to use the same Access Points), for domain users. I'm create one access rule giving all protocols, from guest network to internal network but, for a users group from my domain. It didn't work. If i change to ALL USERS, it works. But is not safe =/. Resuming. I want to give only internet access to guests, and all access to my internal network using the same network (guest).
Ok Paulo. I was thinking in use NAP for attend pre-requisites... Ex: the computer must be joined in domain... The others computers (guest and other OS) will be redirected to a vlan with restricted access (in this case the guest network with only HTTP / HTTPS access). Thanks for your reply.