here is how its done:
From Microsoft Knowledge Base article Q240247, here's how to set up a DHCP class:
Create a New User or Vendor Option Class
1. Start DHCP Manager.
2. In the console tree, click the applicable DHCP server branch.
3. Right-click the server, and then click Define User Classes to create a new user class, or click Define Vendor Classes to create a new vendor class.
4. Click Add.
5. In the New Class dialog box, type a descriptive identifying name for the new option in the Display name box. You may also add additional information to the Description box.
6. Type in the data to be used by the DHCP Server service for matching the class ID provided by DHCP clients under ID or ASCII. To enter the data as hexadecimal byte numeric values, click the left side of the text box. To enter data as American Standard Code for Information Interchange (ASCII) text character values, click the right side of the text box.
7. Click OK, and then click Close.
Configure a DHCP Scope with the New Class ID
1. In DHCP Manager, double-click the appropriate DHCP scope.
2. Right-click Scope Options and then click Configure Options.
3. Click Advanced.
4. Click to select the check box or boxes next to the features you want to use with the new vendor or user class.
5. Click OK.
Set the Specified DHCP Class ID String for Client Computers
Client computers that connect to a Windows 2000-based DHCP server can use the following command to set the specified DHCP class ID string:
ipconfig /setclassid adapter_name class_id
For example, to configure an adapter called "Local Area Connection" with a user class ID called "myuserclass", type ipconfig /setclassid "Local Area Connection" myuserclass at a command prompt, and then press ENTER.
Besides setting up a DHCP Class, there are some other ways to restrict unauthorized machines from accessing the Internet.
suggested, "You could install a proxy server and set up your PCs to only be allowed access to the Internet via that proxy server. Within the proxy server you could then set the users who are allowed Internet access."
Member rfurze also provided a suggestion for allowing Internet access to guests, while keeping the corporate network safe: "The visitors could plug into specific connections in a conference room or guest area and those connections could go back to a separate DMZ zone that isn't on your regular network. If they don't need to login to your network and only need Internet access there is much less risk and work involved if they are on their own separate network on a DMZ. I would also recommend having an appropriate policy and procedure that they are educated in, and sign off on, before they plug in."