We have a client that runs two networks.
First is corporate, no un-auth PCs, and a restricted proxy. Tie this down with enforced transparent proxy and domain/username LDAP authentication? (so only machines joined to domain can authenticate)
Second is a wireless one, WEP, no proxy, just straight out, this is for personal computers, used for lunch hour and bit of personal stuff etc.
Give them the choice, a second network with less restrictions, and they may choose to leave the corporate lan?