LAN access

My company has a win2000 environment, with only 1 domain. A user brings in his home laptop and connects it to the company network without IT's pre-approval. His laptop runs win2000, configured to be part of Workgroup. He does not need to log on to the network, but still can map to known shared folders on the network. We would like to block this method, to safeguard our network against viruses, etc from non-company PCs. Is there a way to disable the 'Workgroup' or force all PCs to be part of the domain?

I say the best way to stop not autorized pc on a LAN is to have a whitelist of MAC address. Any MAC not no the list can't get on the network. BTW for wireless networks this is not good security its too easy to Spoof your MAC

Unfortunately MAC addresses are too easily spoofed.
There is no technical solution for this, its a policy and procedure problem from where I'm standing.

You can blacklist his MAC address by assigning a different ip to him that is not in the same range as your network which will prevent him from connecting to the network and using it's resources.

Wizmatic, not necessarily, as sahirh said, the validity of mac addresses can not be determined. Spoofing the mac addr. can be as simple as issuing an ifconfig command in unix or changing a key at the registry in windows.

Yep, I've seen this at many large organisations as well... there is just no way to rely on network addresses (either logical or physical) for authentication, simply because they are so easily changed..

In Linux I believe its as simple as
ifconfig eth0 hw addr ether xx-xx-xx-xx-xx-xx

or something like that...

So you really need to work out the proper policies to prevent the laptop threat.