What we ended up doing is allowing such a network only inernet access as a separate LAN. In order to get back into the corporate network, one has to go to our SSL VPN, authenticate, and then the internal network is available again. We also have a Cisco security agent for NAC purposes that is requried in order to use the SSL VPN, even contractors or other external computers. If you're concerned about the type of device connecting to your internal network then primarily agent-based Network Access Control would be the way to go.
_________________________
There are two types of vessels, submarines and targets.
