What combination of Proxy Client, Firewall client, etc, will prohibit anyone from bringing in their personal laptop, connect to an RJ45 jack somewhere on my network, and getting out to the internet? Assuming I have non-managed switches, and my clients are currently SecureNat clients that is.
From: MICHIGAN, US
You should not have your main interanl switch/router connecting directly to your external network. It is best to have ISA with a dual nic configuration to get the most out of its security features. Put one leg in your DMZ (if you have a front-end firewall) or straight to External (if no other firewall exists) then put the other leg in the internal network. If you create the appropriate rules, configure the routes, etc you then should be able to force your users to go out the server. If you are forcing authentication then they will not be able to get out without providing credentials.
Without knowing your exact network layout you will have to do some careful research before ripping and plugging cables. So be careful.
Otherwise you should look into some NAC appliances like http://www.cisco.com/en/US/products/ps6128/. These are expensive but if I remember correctly there are some decent low cost versions available somewhere out there.
Also you should have the appropriate policies created for all staff and students.